Overview

overview

10

Static

static

FATURA VE ...ER.exe

windows7-x64

10

FATURA VE ...ER.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    47s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2023 20:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FATURA VE BELGELER.exe

  • Size

    6KB

  • MD5

    8cdcf9d4502ce65a9bf4fcc5f5fa54d3

  • SHA1

    b534efd9dd2902ab2172cc9f2f07fc8ff1acac0d

  • SHA256

    53ab8d99f27bef0bdbc4a0d0a02de34254fde15d202708e379bf2ff84d2ecfef

  • SHA512

    61379ff5617c577fa62c2fcbe4c2ae419f6a5f236edc7f0e1f4ceb356841fb500b0aa78291cacb0e33abf82b928058f225cfd5fb37879e71d370a6ceffd5e883

  • SSDEEP

    96:DpMKEpKgeQV6lfxV9n5Hl9cItU2RM1FVbWm7atAkuaLzNt:DuKTqQl/95HnZtJy9bWqa/DN

Score
10/10
purecryptersnakekeyloggercollectiondownloaderevasionkeyloggerloaderstealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5883437677:AAHeJkSINF-WhhSkVwvmtUtf8IUR1jbdjNM/sendMessage?chat_id=5739567068

Signatures

  • Detect PureCrypter injector 1 IoCs
    loader
  • PureCrypter

    PureCrypter is a .NET malware loader first seen in early 2021.

    loaderdownloaderpurecrypter
  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 6 IoCs
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry key 1 TTPs 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FATURA VE BELGELER.exe
    "C:\Users\Admin\AppData\Local\Temp\FATURA VE BELGELER.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1884
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:764
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      2⤵
        PID:928
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        2⤵
        • Accesses Microsoft Outlook profiles
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • outlook_office_path
        • outlook_win_path
        PID:1576
        • C:\Windows\SysWOW64\REG.exe
          REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
          3⤵
          • Disables RegEdit via registry modification
          • Modifies registry key
          PID:1388

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Install Root Certificate

    1
    T1130

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/764-60-0x000000006E380000-0x000000006E92B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/764-62-0x000000006E380000-0x000000006E92B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/764-61-0x000000006E380000-0x000000006E92B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/764-58-0x0000000000000000-mapping.dmp
      Download
    • memory/1388-76-0x0000000000000000-mapping.dmp
      Download
    • memory/1576-63-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

      Download
    • memory/1576-64-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

      Download
    • memory/1576-66-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

      Download
    • memory/1576-68-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

      Download
    • memory/1576-69-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

      Download
    • memory/1576-70-0x0000000000420BFE-mapping.dmp
      Download
    • memory/1576-72-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

      Download
    • memory/1576-74-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

      Download
    • memory/1884-57-0x00000000060D0000-0x0000000006162000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1884-56-0x0000000005830000-0x000000000589E000-memory.dmp
      Filesize

      440KB

      Download
    • memory/1884-54-0x00000000002C0000-0x00000000002C8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1884-55-0x0000000075201000-0x0000000075203000-memory.dmp
      Filesize

      8KB

      Download