Analysis
-
max time kernel
70s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 09:49
Static task
static1
Behavioral task
behavioral1
Sample
b2f09782cc6fdc575c78fb3b0ad252cc523a8df88fcbcf0e2829d4d750406128.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b2f09782cc6fdc575c78fb3b0ad252cc523a8df88fcbcf0e2829d4d750406128.exe
Resource
win10v2004-20220901-en
General
-
Target
b2f09782cc6fdc575c78fb3b0ad252cc523a8df88fcbcf0e2829d4d750406128.exe
-
Size
1.4MB
-
MD5
e4592aeb6b33a38de3a80d3cfe12f7a3
-
SHA1
ee685ae882f6e0fbd9ebaa1b6488e546ec24da97
-
SHA256
b2f09782cc6fdc575c78fb3b0ad252cc523a8df88fcbcf0e2829d4d750406128
-
SHA512
05486287224d9dbf09c241cdb402ca3d84fc90d6515012f1ed9d86ae136d4248689f50e03bf56402b55a4e87871dbd16261992b6340e0bee066fb20e81a9b23b
-
SSDEEP
12288:H30mhGT/f7DSvWN1JuigLYVlaf+dhKeVnVBAzzpDzAK13LhHWUJ+eBlsi7ZZHEEs:kZzHSvi7AYaf+dk+gziK13lV6iLgb
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot1634002210:AAGipukUEr-bNBgl2R1_hwFgfb9ez_v6wzE/sendMessage?chat_id=1401219117
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Executes dropped EXE 2 IoCs
Processes:
DHL_FORM_0019268874.exeDHL_FORM_0019268874.exepid process 268 DHL_FORM_0019268874.exe 1380 DHL_FORM_0019268874.exe -
Loads dropped DLL 6 IoCs
Processes:
b2f09782cc6fdc575c78fb3b0ad252cc523a8df88fcbcf0e2829d4d750406128.exeWerFault.exepid process 1404 b2f09782cc6fdc575c78fb3b0ad252cc523a8df88fcbcf0e2829d4d750406128.exe 852 WerFault.exe 852 WerFault.exe 852 WerFault.exe 852 WerFault.exe 852 WerFault.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
DHL_FORM_0019268874.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL_FORM_0019268874.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL_FORM_0019268874.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL_FORM_0019268874.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\DHL_FORM_0019268874 = "C:\\Users\\Admin\\AppData\\Roaming\\DHL_FORM_0019268874.exe" reg.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 checkip.dyndns.org 13 freegeoip.app 14 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHL_FORM_0019268874.exedescription pid process target process PID 268 set thread context of 1380 268 DHL_FORM_0019268874.exe DHL_FORM_0019268874.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 852 1380 WerFault.exe DHL_FORM_0019268874.exe -
Processes:
DHL_FORM_0019268874.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 DHL_FORM_0019268874.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 DHL_FORM_0019268874.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
b2f09782cc6fdc575c78fb3b0ad252cc523a8df88fcbcf0e2829d4d750406128.exeDHL_FORM_0019268874.exeDHL_FORM_0019268874.exepid process 1404 b2f09782cc6fdc575c78fb3b0ad252cc523a8df88fcbcf0e2829d4d750406128.exe 1404 b2f09782cc6fdc575c78fb3b0ad252cc523a8df88fcbcf0e2829d4d750406128.exe 1404 b2f09782cc6fdc575c78fb3b0ad252cc523a8df88fcbcf0e2829d4d750406128.exe 268 DHL_FORM_0019268874.exe 268 DHL_FORM_0019268874.exe 1380 DHL_FORM_0019268874.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
b2f09782cc6fdc575c78fb3b0ad252cc523a8df88fcbcf0e2829d4d750406128.exeDHL_FORM_0019268874.exeDHL_FORM_0019268874.exedescription pid process Token: SeDebugPrivilege 1404 b2f09782cc6fdc575c78fb3b0ad252cc523a8df88fcbcf0e2829d4d750406128.exe Token: SeDebugPrivilege 268 DHL_FORM_0019268874.exe Token: SeDebugPrivilege 1380 DHL_FORM_0019268874.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
b2f09782cc6fdc575c78fb3b0ad252cc523a8df88fcbcf0e2829d4d750406128.execmd.exeDHL_FORM_0019268874.exeDHL_FORM_0019268874.exedescription pid process target process PID 1404 wrote to memory of 1500 1404 b2f09782cc6fdc575c78fb3b0ad252cc523a8df88fcbcf0e2829d4d750406128.exe cmd.exe PID 1404 wrote to memory of 1500 1404 b2f09782cc6fdc575c78fb3b0ad252cc523a8df88fcbcf0e2829d4d750406128.exe cmd.exe PID 1404 wrote to memory of 1500 1404 b2f09782cc6fdc575c78fb3b0ad252cc523a8df88fcbcf0e2829d4d750406128.exe cmd.exe PID 1404 wrote to memory of 1500 1404 b2f09782cc6fdc575c78fb3b0ad252cc523a8df88fcbcf0e2829d4d750406128.exe cmd.exe PID 1500 wrote to memory of 848 1500 cmd.exe reg.exe PID 1500 wrote to memory of 848 1500 cmd.exe reg.exe PID 1500 wrote to memory of 848 1500 cmd.exe reg.exe PID 1500 wrote to memory of 848 1500 cmd.exe reg.exe PID 1404 wrote to memory of 268 1404 b2f09782cc6fdc575c78fb3b0ad252cc523a8df88fcbcf0e2829d4d750406128.exe DHL_FORM_0019268874.exe PID 1404 wrote to memory of 268 1404 b2f09782cc6fdc575c78fb3b0ad252cc523a8df88fcbcf0e2829d4d750406128.exe DHL_FORM_0019268874.exe PID 1404 wrote to memory of 268 1404 b2f09782cc6fdc575c78fb3b0ad252cc523a8df88fcbcf0e2829d4d750406128.exe DHL_FORM_0019268874.exe PID 1404 wrote to memory of 268 1404 b2f09782cc6fdc575c78fb3b0ad252cc523a8df88fcbcf0e2829d4d750406128.exe DHL_FORM_0019268874.exe PID 268 wrote to memory of 1380 268 DHL_FORM_0019268874.exe DHL_FORM_0019268874.exe PID 268 wrote to memory of 1380 268 DHL_FORM_0019268874.exe DHL_FORM_0019268874.exe PID 268 wrote to memory of 1380 268 DHL_FORM_0019268874.exe DHL_FORM_0019268874.exe PID 268 wrote to memory of 1380 268 DHL_FORM_0019268874.exe DHL_FORM_0019268874.exe PID 268 wrote to memory of 1380 268 DHL_FORM_0019268874.exe DHL_FORM_0019268874.exe PID 268 wrote to memory of 1380 268 DHL_FORM_0019268874.exe DHL_FORM_0019268874.exe PID 268 wrote to memory of 1380 268 DHL_FORM_0019268874.exe DHL_FORM_0019268874.exe PID 268 wrote to memory of 1380 268 DHL_FORM_0019268874.exe DHL_FORM_0019268874.exe PID 268 wrote to memory of 1380 268 DHL_FORM_0019268874.exe DHL_FORM_0019268874.exe PID 1380 wrote to memory of 852 1380 DHL_FORM_0019268874.exe WerFault.exe PID 1380 wrote to memory of 852 1380 DHL_FORM_0019268874.exe WerFault.exe PID 1380 wrote to memory of 852 1380 DHL_FORM_0019268874.exe WerFault.exe PID 1380 wrote to memory of 852 1380 DHL_FORM_0019268874.exe WerFault.exe -
outlook_office_path 1 IoCs
Processes:
DHL_FORM_0019268874.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL_FORM_0019268874.exe -
outlook_win_path 1 IoCs
Processes:
DHL_FORM_0019268874.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL_FORM_0019268874.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2f09782cc6fdc575c78fb3b0ad252cc523a8df88fcbcf0e2829d4d750406128.exe"C:\Users\Admin\AppData\Local\Temp\b2f09782cc6fdc575c78fb3b0ad252cc523a8df88fcbcf0e2829d4d750406128.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "DHL_FORM_0019268874" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\DHL_FORM_0019268874.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "DHL_FORM_0019268874" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\DHL_FORM_0019268874.exe"3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\DHL_FORM_0019268874.exe"C:\Users\Admin\AppData\Roaming\DHL_FORM_0019268874.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\DHL_FORM_0019268874.exe"C:\Users\Admin\AppData\Roaming\DHL_FORM_0019268874.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 16244⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\DHL_FORM_0019268874.exeFilesize
1.4MB
MD5e4592aeb6b33a38de3a80d3cfe12f7a3
SHA1ee685ae882f6e0fbd9ebaa1b6488e546ec24da97
SHA256b2f09782cc6fdc575c78fb3b0ad252cc523a8df88fcbcf0e2829d4d750406128
SHA51205486287224d9dbf09c241cdb402ca3d84fc90d6515012f1ed9d86ae136d4248689f50e03bf56402b55a4e87871dbd16261992b6340e0bee066fb20e81a9b23b
-
C:\Users\Admin\AppData\Roaming\DHL_FORM_0019268874.exeFilesize
1.4MB
MD5e4592aeb6b33a38de3a80d3cfe12f7a3
SHA1ee685ae882f6e0fbd9ebaa1b6488e546ec24da97
SHA256b2f09782cc6fdc575c78fb3b0ad252cc523a8df88fcbcf0e2829d4d750406128
SHA51205486287224d9dbf09c241cdb402ca3d84fc90d6515012f1ed9d86ae136d4248689f50e03bf56402b55a4e87871dbd16261992b6340e0bee066fb20e81a9b23b
-
C:\Users\Admin\AppData\Roaming\DHL_FORM_0019268874.exeFilesize
1.4MB
MD5e4592aeb6b33a38de3a80d3cfe12f7a3
SHA1ee685ae882f6e0fbd9ebaa1b6488e546ec24da97
SHA256b2f09782cc6fdc575c78fb3b0ad252cc523a8df88fcbcf0e2829d4d750406128
SHA51205486287224d9dbf09c241cdb402ca3d84fc90d6515012f1ed9d86ae136d4248689f50e03bf56402b55a4e87871dbd16261992b6340e0bee066fb20e81a9b23b
-
\Users\Admin\AppData\Roaming\DHL_FORM_0019268874.exeFilesize
1.4MB
MD5e4592aeb6b33a38de3a80d3cfe12f7a3
SHA1ee685ae882f6e0fbd9ebaa1b6488e546ec24da97
SHA256b2f09782cc6fdc575c78fb3b0ad252cc523a8df88fcbcf0e2829d4d750406128
SHA51205486287224d9dbf09c241cdb402ca3d84fc90d6515012f1ed9d86ae136d4248689f50e03bf56402b55a4e87871dbd16261992b6340e0bee066fb20e81a9b23b
-
\Users\Admin\AppData\Roaming\DHL_FORM_0019268874.exeFilesize
1.4MB
MD5e4592aeb6b33a38de3a80d3cfe12f7a3
SHA1ee685ae882f6e0fbd9ebaa1b6488e546ec24da97
SHA256b2f09782cc6fdc575c78fb3b0ad252cc523a8df88fcbcf0e2829d4d750406128
SHA51205486287224d9dbf09c241cdb402ca3d84fc90d6515012f1ed9d86ae136d4248689f50e03bf56402b55a4e87871dbd16261992b6340e0bee066fb20e81a9b23b
-
\Users\Admin\AppData\Roaming\DHL_FORM_0019268874.exeFilesize
1.4MB
MD5e4592aeb6b33a38de3a80d3cfe12f7a3
SHA1ee685ae882f6e0fbd9ebaa1b6488e546ec24da97
SHA256b2f09782cc6fdc575c78fb3b0ad252cc523a8df88fcbcf0e2829d4d750406128
SHA51205486287224d9dbf09c241cdb402ca3d84fc90d6515012f1ed9d86ae136d4248689f50e03bf56402b55a4e87871dbd16261992b6340e0bee066fb20e81a9b23b
-
\Users\Admin\AppData\Roaming\DHL_FORM_0019268874.exeFilesize
1.4MB
MD5e4592aeb6b33a38de3a80d3cfe12f7a3
SHA1ee685ae882f6e0fbd9ebaa1b6488e546ec24da97
SHA256b2f09782cc6fdc575c78fb3b0ad252cc523a8df88fcbcf0e2829d4d750406128
SHA51205486287224d9dbf09c241cdb402ca3d84fc90d6515012f1ed9d86ae136d4248689f50e03bf56402b55a4e87871dbd16261992b6340e0bee066fb20e81a9b23b
-
\Users\Admin\AppData\Roaming\DHL_FORM_0019268874.exeFilesize
1.4MB
MD5e4592aeb6b33a38de3a80d3cfe12f7a3
SHA1ee685ae882f6e0fbd9ebaa1b6488e546ec24da97
SHA256b2f09782cc6fdc575c78fb3b0ad252cc523a8df88fcbcf0e2829d4d750406128
SHA51205486287224d9dbf09c241cdb402ca3d84fc90d6515012f1ed9d86ae136d4248689f50e03bf56402b55a4e87871dbd16261992b6340e0bee066fb20e81a9b23b
-
\Users\Admin\AppData\Roaming\DHL_FORM_0019268874.exeFilesize
1.4MB
MD5e4592aeb6b33a38de3a80d3cfe12f7a3
SHA1ee685ae882f6e0fbd9ebaa1b6488e546ec24da97
SHA256b2f09782cc6fdc575c78fb3b0ad252cc523a8df88fcbcf0e2829d4d750406128
SHA51205486287224d9dbf09c241cdb402ca3d84fc90d6515012f1ed9d86ae136d4248689f50e03bf56402b55a4e87871dbd16261992b6340e0bee066fb20e81a9b23b
-
memory/268-61-0x0000000000000000-mapping.dmp
-
memory/268-64-0x00000000012B0000-0x0000000001428000-memory.dmpFilesize
1.5MB
-
memory/268-66-0x00000000005B0000-0x00000000005C4000-memory.dmpFilesize
80KB
-
memory/268-67-0x00000000005D0000-0x00000000005D6000-memory.dmpFilesize
24KB
-
memory/848-59-0x0000000000000000-mapping.dmp
-
memory/852-86-0x0000000000000000-mapping.dmp
-
memory/1380-69-0x0000000000080000-0x00000000000EA000-memory.dmpFilesize
424KB
-
memory/1380-84-0x0000000000080000-0x00000000000EA000-memory.dmpFilesize
424KB
-
memory/1380-74-0x00000000004641AE-mapping.dmp
-
memory/1380-76-0x0000000000080000-0x00000000000EA000-memory.dmpFilesize
424KB
-
memory/1380-77-0x0000000000080000-0x00000000000EA000-memory.dmpFilesize
424KB
-
memory/1380-71-0x0000000000080000-0x00000000000EA000-memory.dmpFilesize
424KB
-
memory/1380-81-0x0000000000080000-0x00000000000EA000-memory.dmpFilesize
424KB
-
memory/1380-72-0x0000000000080000-0x00000000000EA000-memory.dmpFilesize
424KB
-
memory/1380-68-0x0000000000080000-0x00000000000EA000-memory.dmpFilesize
424KB
-
memory/1404-54-0x0000000000920000-0x0000000000A98000-memory.dmpFilesize
1.5MB
-
memory/1404-57-0x00000000004F0000-0x00000000004F6000-memory.dmpFilesize
24KB
-
memory/1404-56-0x00000000020F0000-0x0000000002116000-memory.dmpFilesize
152KB
-
memory/1404-55-0x0000000074F01000-0x0000000074F03000-memory.dmpFilesize
8KB
-
memory/1500-58-0x0000000000000000-mapping.dmp