Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

tmp_yefxj3l.exe

windows7-x64

10

tmp_yefxj3l.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    67s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    31/01/2023, 05:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp_yefxj3l.exe

  • Size

    649KB

  • MD5

    0348469c2faa81c6581790280e815c42

  • SHA1

    abe0c89fefee86e8b69857d4499dc5d63607a7f1

  • SHA256

    d0d573cf8f2460ca3d4e9074af0a2c13b56c287fb7ace1560b8c8209170de73c

  • SHA512

    2c4143a7cb14f391ae8fffb156c51ff328d503200f033bb70721611ee972d625694dd2a96f4a19537504f8511664f7c5caa791fd42737470a1f6eecd12158bde

  • SSDEEP

    12288:Tj4C5sHSY+/o2Qa1s9W7aB4Qyux3qSMWTvPWWeh3ih9HlAhTCV:AC5sn+/ZIWK1x4mGBYTuC

Score
10/10
snakekeyloggercollectionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials
C2

https://api.telegram.org/bot5839027687:AAGrC4UWgd0JQxMHOf1dCehA-oSrYF_Bez8/sendMessage?chat_id=1094077450

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 6 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp_yefxj3l.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp_yefxj3l.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mcveldGLmqL.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2028
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mcveldGLmqL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD135.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1356
    • C:\Users\Admin\AppData\Local\Temp\tmp_yefxj3l.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp_yefxj3l.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:696

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpD135.tmp
    Filesize

    1KB

    MD5

    dbe9b09a45cb538a877ed4fb7b302b48

    SHA1

    5af7b6cd29a64322c7c94e38c5e236768480b4d1

    SHA256

    64148890ab27f7728c9e5f8606b1fbb2b30c4f03398e755b394b1bbd105e7180

    SHA512

    f8876964e43d856ecdf10332501862bc0245c23e2234633ab5b0ab4c84a7e3b29c137b4f9a6ef793b8db7131e85a10b6f389f3006b890c7f702fbacb1be0d575

    Download Submit

  • memory/696-65-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/696-75-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/696-73-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/696-70-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/696-69-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/696-67-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/696-64-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2024-58-0x0000000004EB0000-0x0000000004F12000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2024-63-0x0000000004F50000-0x0000000004F78000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2024-54-0x0000000000340000-0x00000000003E8000-memory.dmp

    Filesize

    672KB

    Download

  • memory/2024-57-0x0000000001E00000-0x0000000001E0A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2024-56-0x0000000001DE0000-0x0000000001DF4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2024-55-0x00000000766D1000-0x00000000766D3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2028-77-0x000000006F0E0000-0x000000006F68B000-memory.dmp

    Filesize

    5.7MB

    Download