Analysis
-
max time kernel
90s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2023 20:31
Static task
static1
Behavioral task
behavioral1
Sample
FATURA VE BELGELER.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
FATURA VE BELGELER.exe
Resource
win10v2004-20220812-en
General
-
Target
FATURA VE BELGELER.exe
-
Size
6KB
-
MD5
8cdcf9d4502ce65a9bf4fcc5f5fa54d3
-
SHA1
b534efd9dd2902ab2172cc9f2f07fc8ff1acac0d
-
SHA256
53ab8d99f27bef0bdbc4a0d0a02de34254fde15d202708e379bf2ff84d2ecfef
-
SHA512
61379ff5617c577fa62c2fcbe4c2ae419f6a5f236edc7f0e1f4ceb356841fb500b0aa78291cacb0e33abf82b928058f225cfd5fb37879e71d370a6ceffd5e883
-
SSDEEP
96:DpMKEpKgeQV6lfxV9n5Hl9cItU2RM1FVbWm7atAkuaLzNt:DuKTqQl/95HnZtJy9bWqa/DN
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5883437677:AAHeJkSINF-WhhSkVwvmtUtf8IUR1jbdjNM/sendMessage?chat_id=5739567068
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2536-145-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
FATURA VE BELGELER.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation FATURA VE BELGELER.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
FATURA VE BELGELER.exedescription pid process target process PID 4308 set thread context of 2536 4308 FATURA VE BELGELER.exe MSBuild.exe -
Drops file in Windows directory 1 IoCs
Processes:
MSBuild.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4828 2536 WerFault.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exeMSBuild.exepid process 1408 powershell.exe 1408 powershell.exe 2536 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
FATURA VE BELGELER.exepowershell.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 4308 FATURA VE BELGELER.exe Token: SeDebugPrivilege 1408 powershell.exe Token: SeDebugPrivilege 2536 MSBuild.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
FATURA VE BELGELER.exedescription pid process target process PID 4308 wrote to memory of 1408 4308 FATURA VE BELGELER.exe powershell.exe PID 4308 wrote to memory of 1408 4308 FATURA VE BELGELER.exe powershell.exe PID 4308 wrote to memory of 1408 4308 FATURA VE BELGELER.exe powershell.exe PID 4308 wrote to memory of 2536 4308 FATURA VE BELGELER.exe MSBuild.exe PID 4308 wrote to memory of 2536 4308 FATURA VE BELGELER.exe MSBuild.exe PID 4308 wrote to memory of 2536 4308 FATURA VE BELGELER.exe MSBuild.exe PID 4308 wrote to memory of 2536 4308 FATURA VE BELGELER.exe MSBuild.exe PID 4308 wrote to memory of 2536 4308 FATURA VE BELGELER.exe MSBuild.exe PID 4308 wrote to memory of 2536 4308 FATURA VE BELGELER.exe MSBuild.exe PID 4308 wrote to memory of 2536 4308 FATURA VE BELGELER.exe MSBuild.exe PID 4308 wrote to memory of 2536 4308 FATURA VE BELGELER.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FATURA VE BELGELER.exe"C:\Users\Admin\AppData\Local\Temp\FATURA VE BELGELER.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 14563⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 2536 -ip 25361⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1408-141-0x0000000006870000-0x000000000688E000-memory.dmpFilesize
120KB
-
memory/1408-140-0x0000000006240000-0x00000000062A6000-memory.dmpFilesize
408KB
-
memory/1408-143-0x0000000006D60000-0x0000000006D7A000-memory.dmpFilesize
104KB
-
memory/1408-142-0x0000000008090000-0x000000000870A000-memory.dmpFilesize
6.5MB
-
memory/1408-136-0x0000000000000000-mapping.dmp
-
memory/1408-137-0x0000000005290000-0x00000000052C6000-memory.dmpFilesize
216KB
-
memory/1408-138-0x0000000005940000-0x0000000005F68000-memory.dmpFilesize
6.2MB
-
memory/1408-139-0x00000000060E0000-0x0000000006146000-memory.dmpFilesize
408KB
-
memory/2536-144-0x0000000000000000-mapping.dmp
-
memory/2536-145-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2536-146-0x00000000059B0000-0x0000000005A4C000-memory.dmpFilesize
624KB
-
memory/4308-133-0x0000000006D80000-0x0000000007324000-memory.dmpFilesize
5.6MB
-
memory/4308-132-0x0000000000B40000-0x0000000000B48000-memory.dmpFilesize
32KB
-
memory/4308-135-0x0000000006A60000-0x0000000006A82000-memory.dmpFilesize
136KB
-
memory/4308-134-0x00000000068D0000-0x0000000006962000-memory.dmpFilesize
584KB