Analysis
-
max time kernel
90s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
25-01-2023 20:31
General
-
Target
FATURA VE BELGELER.exe
-
Size
6KB
-
MD5
8cdcf9d4502ce65a9bf4fcc5f5fa54d3
-
SHA1
b534efd9dd2902ab2172cc9f2f07fc8ff1acac0d
-
SHA256
53ab8d99f27bef0bdbc4a0d0a02de34254fde15d202708e379bf2ff84d2ecfef
-
SHA512
61379ff5617c577fa62c2fcbe4c2ae419f6a5f236edc7f0e1f4ceb356841fb500b0aa78291cacb0e33abf82b928058f225cfd5fb37879e71d370a6ceffd5e883
-
SSDEEP
96:DpMKEpKgeQV6lfxV9n5Hl9cItU2RM1FVbWm7atAkuaLzNt:DuKTqQl/95HnZtJy9bWqa/DN
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5883437677:AAHeJkSINF-WhhSkVwvmtUtf8IUR1jbdjNM/sendMessage?chat_id=5739567068
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\FATURA VE BELGELER.exe"C:\Users\Admin\AppData\Local\Temp\FATURA VE BELGELER.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 14563⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 2536 -ip 25361⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1408-141-0x0000000006870000-0x000000000688E000-memory.dmpFilesize
120KB
-
memory/1408-140-0x0000000006240000-0x00000000062A6000-memory.dmpFilesize
408KB
-
memory/1408-143-0x0000000006D60000-0x0000000006D7A000-memory.dmpFilesize
104KB
-
memory/1408-142-0x0000000008090000-0x000000000870A000-memory.dmpFilesize
6.5MB
-
memory/1408-136-0x0000000000000000-mapping.dmp
-
memory/1408-137-0x0000000005290000-0x00000000052C6000-memory.dmpFilesize
216KB
-
memory/1408-138-0x0000000005940000-0x0000000005F68000-memory.dmpFilesize
6.2MB
-
memory/1408-139-0x00000000060E0000-0x0000000006146000-memory.dmpFilesize
408KB
-
memory/2536-144-0x0000000000000000-mapping.dmp
-
memory/2536-145-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2536-146-0x00000000059B0000-0x0000000005A4C000-memory.dmpFilesize
624KB
-
memory/4308-133-0x0000000006D80000-0x0000000007324000-memory.dmpFilesize
5.6MB
-
memory/4308-132-0x0000000000B40000-0x0000000000B48000-memory.dmpFilesize
32KB
-
memory/4308-135-0x0000000006A60000-0x0000000006A82000-memory.dmpFilesize
136KB
-
memory/4308-134-0x00000000068D0000-0x0000000006962000-memory.dmpFilesize
584KB