snakekeylogger | f99b9801f01ee7b4b5ca8512e4e7ddaed8cadddde95c3f0ecbd217fc5620fbca

Analysis

max time kernel
60s
max time network
128s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
25-11-2022 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f99b9801f01ee7b4b5ca8512e4e7ddaed8cadddde95c3f0ecbd217fc5620fbca.exe
Size

416KB
MD5

b8259ed6a4fd55a02c9740361cc2db3d
SHA1

d9ecc123a139e9900d88a0eda4ad5c78f2a3214c
SHA256

f99b9801f01ee7b4b5ca8512e4e7ddaed8cadddde95c3f0ecbd217fc5620fbca
SHA512

280439e8a794e437dbebbf8a408498b7028914abb18b4ba24071c22e5ee29bd77adc1b210b0de6968c9db0f32fa47cffad4e2689c754587b028442d40a67d305
SSDEEP

1536:76BrBvzYJ7/4RzeeptZrd8FjGhDji2KGtc8w0N1rlmVcl:76oJYzHZx8FCDXncszJ8Y

Score

10^/10

snakekeylogger collection keylogger stealer

Malware Config

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4240-291-0x000000000042019E-mapping.dmp	family_snakekeylogger
behavioral1/memory/4240-325-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

MSBuild.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 checkip.dyndns.org

flow	ioc
7	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

f99b9801f01ee7b4b5ca8512e4e7ddaed8cadddde95c3f0ecbd217fc5620fbca.exe

description	pid	process	target process
PID 2476 set thread context of 4240	2476	f99b9801f01ee7b4b5ca8512e4e7ddaed8cadddde95c3f0ecbd217fc5620fbca.exe	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exeMSBuild.exe

pid process

340 powershell.exe
340 powershell.exe
340 powershell.exe
4240 MSBuild.exe

pid	process
340	powershell.exe
340	powershell.exe
340	powershell.exe
4240	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

f99b9801f01ee7b4b5ca8512e4e7ddaed8cadddde95c3f0ecbd217fc5620fbca.exepowershell.exeMSBuild.exe

description	pid	process
Token: SeDebugPrivilege	2476	f99b9801f01ee7b4b5ca8512e4e7ddaed8cadddde95c3f0ecbd217fc5620fbca.exe
Token: SeDebugPrivilege	340	powershell.exe
Token: SeDebugPrivilege	4240	MSBuild.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

f99b9801f01ee7b4b5ca8512e4e7ddaed8cadddde95c3f0ecbd217fc5620fbca.exe

description	pid	process	target process
PID 2476 wrote to memory of 340	2476	f99b9801f01ee7b4b5ca8512e4e7ddaed8cadddde95c3f0ecbd217fc5620fbca.exe	powershell.exe
PID 2476 wrote to memory of 340	2476	f99b9801f01ee7b4b5ca8512e4e7ddaed8cadddde95c3f0ecbd217fc5620fbca.exe	powershell.exe
PID 2476 wrote to memory of 340	2476	f99b9801f01ee7b4b5ca8512e4e7ddaed8cadddde95c3f0ecbd217fc5620fbca.exe	powershell.exe
PID 2476 wrote to memory of 4240	2476	f99b9801f01ee7b4b5ca8512e4e7ddaed8cadddde95c3f0ecbd217fc5620fbca.exe	MSBuild.exe
PID 2476 wrote to memory of 4240	2476	f99b9801f01ee7b4b5ca8512e4e7ddaed8cadddde95c3f0ecbd217fc5620fbca.exe	MSBuild.exe
PID 2476 wrote to memory of 4240	2476	f99b9801f01ee7b4b5ca8512e4e7ddaed8cadddde95c3f0ecbd217fc5620fbca.exe	MSBuild.exe
PID 2476 wrote to memory of 4240	2476	f99b9801f01ee7b4b5ca8512e4e7ddaed8cadddde95c3f0ecbd217fc5620fbca.exe	MSBuild.exe
PID 2476 wrote to memory of 4240	2476	f99b9801f01ee7b4b5ca8512e4e7ddaed8cadddde95c3f0ecbd217fc5620fbca.exe	MSBuild.exe
PID 2476 wrote to memory of 4240	2476	f99b9801f01ee7b4b5ca8512e4e7ddaed8cadddde95c3f0ecbd217fc5620fbca.exe	MSBuild.exe
PID 2476 wrote to memory of 4240	2476	f99b9801f01ee7b4b5ca8512e4e7ddaed8cadddde95c3f0ecbd217fc5620fbca.exe	MSBuild.exe
PID 2476 wrote to memory of 4240	2476	f99b9801f01ee7b4b5ca8512e4e7ddaed8cadddde95c3f0ecbd217fc5620fbca.exe	MSBuild.exe

outlook_office_path 1 IoCs

Processes:

MSBuild.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

outlook_win_path 1 IoCs

Processes:

MSBuild.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\f99b9801f01ee7b4b5ca8512e4e7ddaed8cadddde95c3f0ecbd217fc5620fbca.exe
"C:\Users\Admin\AppData\Local\Temp\f99b9801f01ee7b4b5ca8512e4e7ddaed8cadddde95c3f0ecbd217fc5620fbca.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/340-203-0x0000000000000000-mapping.dmp

Download
memory/340-239-0x00000000066B0000-0x00000000066E6000-memory.dmp

Filesize
216KB

Download
memory/340-244-0x0000000006D20000-0x0000000007348000-memory.dmp

Filesize
6.2MB

Download
memory/340-263-0x0000000007460000-0x00000000074C6000-memory.dmp

Filesize
408KB

Download
memory/340-264-0x00000000075B0000-0x0000000007616000-memory.dmp

Filesize
408KB

Download
memory/340-284-0x0000000008C30000-0x0000000008C4A000-memory.dmp

Filesize
104KB

Download
memory/340-283-0x0000000009500000-0x0000000009B78000-memory.dmp

Filesize
6.5MB

Download
memory/340-272-0x0000000007E60000-0x0000000007ED6000-memory.dmp

Filesize
472KB

Download
memory/340-268-0x0000000008070000-0x00000000080BB000-memory.dmp

Filesize
300KB

Download
memory/340-267-0x00000000077E0000-0x00000000077FC000-memory.dmp

Filesize
112KB

Download
memory/2476-152-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-157-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-122-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-123-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-124-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-125-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-126-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-127-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-128-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-129-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-130-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-131-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-133-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-132-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-134-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-135-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-137-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-136-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-138-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-139-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-140-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-141-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-142-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-143-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-144-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-145-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-146-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-147-0x0000000000370000-0x00000000003DE000-memory.dmp

Filesize
440KB

Download
memory/2476-149-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-148-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-150-0x0000000005040000-0x000000000553E000-memory.dmp

Filesize
5.0MB

Download
memory/2476-151-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-120-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-153-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-154-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-155-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-156-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-121-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-158-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-159-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-160-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-161-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-162-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-163-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-164-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-165-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-166-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-167-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-168-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-169-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-170-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-171-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-172-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-173-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-174-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-175-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-176-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-177-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-178-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-179-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-119-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-118-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-117-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-116-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-115-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-180-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-187-0x0000000005A80000-0x0000000005C9A000-memory.dmp

Filesize
2.1MB

Download
memory/2476-188-0x0000000005DA0000-0x0000000005E32000-memory.dmp

Filesize
584KB

Download
memory/2476-189-0x0000000005D50000-0x0000000005D72000-memory.dmp

Filesize
136KB

Download
memory/2476-191-0x0000000005F50000-0x00000000062A0000-memory.dmp

Filesize
3.3MB

Download
memory/4240-291-0x000000000042019E-mapping.dmp

Download
memory/4240-325-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4240-329-0x0000000005770000-0x000000000580C000-memory.dmp

Filesize
624KB

Download
memory/4240-361-0x0000000006710000-0x00000000068D2000-memory.dmp

Filesize
1.8MB

Download
memory/4240-364-0x0000000006580000-0x000000000658A000-memory.dmp

Filesize
40KB

Download