Analysis
-
max time kernel
68s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 06:31
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe
Resource
win10v2004-20220901-en
General
-
Target
SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe
-
Size
1.0MB
-
MD5
3672cbf3d4df3e8b980ca53da0be22af
-
SHA1
056122bc3ff2e7fc0f7daf12c4bde24dab554aba
-
SHA256
093ae32e384e0781c6840738467880b8a18eeac99a9124e2b03431f054ccbba2
-
SHA512
fbda4615c2984b80db5e970422340912fb84b8a1e8de23c277ed42de36b07525879f0f45ef530989598c22ccf07e0098cadc5d8025a5e9eefc5f2b5cbd09ef7b
-
SSDEEP
24576:ukdGOopzAI3ZnpSLixvrpgDMBse8UOiJoLSwybN9X:v1opLNjeuse8UOxu3
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2044-72-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2044-74-0x000000000042072E-mapping.dmp family_snakekeylogger behavioral1/memory/2044-73-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2044-70-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2044-76-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2044-78-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rrpkvujmgr = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gurwxo\\Rrpkvujmgr.exe\"" SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exedescription pid process target process PID 1612 set thread context of 2044 1612 SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1616 2044 WerFault.exe SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exeSecuriteInfo.com.Win32.PWSX-gen.19575.15091.exepid process 1860 powershell.exe 1332 powershell.exe 2044 SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exeSecuriteInfo.com.Win32.PWSX-gen.19575.15091.exepowershell.exeSecuriteInfo.com.Win32.PWSX-gen.19575.15091.exedescription pid process Token: SeDebugPrivilege 1860 powershell.exe Token: SeDebugPrivilege 1612 SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe Token: SeDebugPrivilege 1332 powershell.exe Token: SeDebugPrivilege 2044 SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exeSecuriteInfo.com.Win32.PWSX-gen.19575.15091.exedescription pid process target process PID 1612 wrote to memory of 1860 1612 SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe powershell.exe PID 1612 wrote to memory of 1860 1612 SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe powershell.exe PID 1612 wrote to memory of 1860 1612 SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe powershell.exe PID 1612 wrote to memory of 1860 1612 SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe powershell.exe PID 1612 wrote to memory of 1332 1612 SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe powershell.exe PID 1612 wrote to memory of 1332 1612 SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe powershell.exe PID 1612 wrote to memory of 1332 1612 SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe powershell.exe PID 1612 wrote to memory of 1332 1612 SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe powershell.exe PID 1612 wrote to memory of 2044 1612 SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe PID 1612 wrote to memory of 2044 1612 SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe PID 1612 wrote to memory of 2044 1612 SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe PID 1612 wrote to memory of 2044 1612 SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe PID 1612 wrote to memory of 2044 1612 SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe PID 1612 wrote to memory of 2044 1612 SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe PID 1612 wrote to memory of 2044 1612 SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe PID 1612 wrote to memory of 2044 1612 SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe PID 1612 wrote to memory of 2044 1612 SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe PID 2044 wrote to memory of 1616 2044 SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe WerFault.exe PID 2044 wrote to memory of 1616 2044 SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe WerFault.exe PID 2044 wrote to memory of 1616 2044 SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe WerFault.exe PID 2044 wrote to memory of 1616 2044 SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [System.Security.Principal.WindowsIdentity]::GetCurrent().Name2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exeC:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 11043⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD552539352e53171a4694ddc02ddd1e33f
SHA12a688afd38f05b36721893bb26b11c38a6410a58
SHA2566a675cce8a92a4fdff1e176390ce8a6b8dd7d37713ed27b78c3edab6087b1323
SHA512659720d4880abf8d1f6f404882b947be8ce5a03379b8c4a6be5e35f78a1be8277bf133415b1779d911b07f94231501db79cbe3c0667dcd63b773078e5175b706
-
memory/1332-61-0x0000000000000000-mapping.dmp
-
memory/1332-66-0x000000006E880000-0x000000006EE2B000-memory.dmpFilesize
5.7MB
-
memory/1332-65-0x000000006E880000-0x000000006EE2B000-memory.dmpFilesize
5.7MB
-
memory/1332-64-0x000000006E880000-0x000000006EE2B000-memory.dmpFilesize
5.7MB
-
memory/1612-60-0x00000000057E0000-0x0000000005A0C000-memory.dmpFilesize
2.2MB
-
memory/1612-54-0x0000000000930000-0x0000000000A3C000-memory.dmpFilesize
1.0MB
-
memory/1612-55-0x0000000076681000-0x0000000076683000-memory.dmpFilesize
8KB
-
memory/1616-80-0x0000000000000000-mapping.dmp
-
memory/1860-59-0x000000006F670000-0x000000006FC1B000-memory.dmpFilesize
5.7MB
-
memory/1860-58-0x000000006F670000-0x000000006FC1B000-memory.dmpFilesize
5.7MB
-
memory/1860-56-0x0000000000000000-mapping.dmp
-
memory/2044-72-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2044-74-0x000000000042072E-mapping.dmp
-
memory/2044-73-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2044-70-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2044-68-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2044-76-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2044-78-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2044-67-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB