3c90b3d32f3fe37632edfad2b768cf77d70e7de0d3291d0e5274ea8a7dc69141

Analysis

max time kernel
116s
max time network
124s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/02/2023, 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Slither x32y 64/Slither.exe
Size

1.1MB
MD5

8b6e003d671e43521c29e447c3c7e270
SHA1

b6019a010a50bca81b8d3baeb5516fde6397f44d
SHA256

0930fd18d2ab158561841531784ae14f7681020e01320239ef0603bab1db4b30
SHA512

26cad28f330201fe6471d2016f8aab66e7e18acf423b1c616fa1be5db8cf6c198d63db4b9584c3f6051fcd59b29b97e63ab37e6ddd548933ad174b2bfa2cc613
SSDEEP

24576:RhbjXbCjgIv4An+9LPiG0WBliA/DKZvCbD1gG5:fbXCj6AWPiY2A/DKZabRj5

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation	Slither.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
608	Slither.exe
608	Slither.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
608	Slither.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 608 wrote to memory of 1888	608	Slither.exe	28
PID 608 wrote to memory of 1888	608	Slither.exe	28
PID 608 wrote to memory of 1888	608	Slither.exe	28
PID 608 wrote to memory of 1888	608	Slither.exe	28
PID 608 wrote to memory of 2020	608	Slither.exe	29
PID 608 wrote to memory of 2020	608	Slither.exe	29
PID 608 wrote to memory of 2020	608	Slither.exe	29
PID 608 wrote to memory of 2020	608	Slither.exe	29
PID 608 wrote to memory of 592	608	Slither.exe	30
PID 608 wrote to memory of 592	608	Slither.exe	30
PID 608 wrote to memory of 592	608	Slither.exe	30
PID 608 wrote to memory of 592	608	Slither.exe	30
PID 608 wrote to memory of 812	608	Slither.exe	32
PID 608 wrote to memory of 812	608	Slither.exe	32
PID 608 wrote to memory of 812	608	Slither.exe	32
PID 608 wrote to memory of 812	608	Slither.exe	32
PID 608 wrote to memory of 320	608	Slither.exe	34
PID 608 wrote to memory of 320	608	Slither.exe	34
PID 608 wrote to memory of 320	608	Slither.exe	34
PID 608 wrote to memory of 320	608	Slither.exe	34
PID 608 wrote to memory of 1584	608	Slither.exe	35
PID 608 wrote to memory of 1584	608	Slither.exe	35
PID 608 wrote to memory of 1584	608	Slither.exe	35
PID 608 wrote to memory of 1584	608	Slither.exe	35

C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\Slither.exe
"C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\Slither.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:608
- C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\Slither.exe
  "C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\Slither.exe" --type=crashpad-handler /prefetch:7 --no-rate-limit --database=C:\Users\Admin\AppData\Local\Crashpad --annotation=channel= --annotation=plat=Win32 --annotation=prod=nwjs --annotation=ver=-devel --handshake-handle=0xb8
  2⤵
  PID:1888
- C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\Slither.exe
  "C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\Slither.exe" --type=gpu-process --channel="608.0.731103613\869796987" --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Slither.io\User Data" --disable-breakpad --supports-dual-gpus=false --gpu-driver-bug-workarounds=3,11,25,54 --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --user-data-dir="C:\Users\Admin\AppData\Local\Slither.io\User Data" /prefetch:2
  2⤵
  PID:2020
- C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\Slither.exe
  "C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\Slither.exe" --type=utility --channel="608.1.577058492\8327520" --lang=en-US --no-sandbox --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Slither.io\User Data" /prefetch:8
  2⤵
  PID:592
- C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\Slither.exe
  "C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\Slither.exe" --type=renderer --no-sandbox --enable-features=AutomaticTabDiscarding<AutomaticTabDiscarding --lang=en-US --force-fieldtrials=AsyncSetAsDefault/Enabled/AutofillClassifier/Enabled/AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/*AutomaticTabDiscarding/Enabled_Once/*BrowserBlacklist/Enabled/CaptivePortalInterstitial/Enabled/ChildAccountDetection/Disabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DataReductionProxyConfigService/Enabled/EnableGoogleCachedCopyTextExperiment/Button/EnableSessionCrashedBubbleUI/Enabled/*ExtensionActionRedesign/Enabled/ExtensionContentVerification/Enforce/ExtensionInstallVerification/Enforce/GoogleNow/Enable/IconNTP/Default/InstanceID/Enabled/IntelligentSessionRestore/Enabled/MaterialDesignDownloads/Enabled/*NetworkQualityEstimator/Enabled/*NewProfileManagement/Enabled/PasswordBranding/SmartLockBrandingSavePromptOnly/PasswordGeneration/Disabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/ReportCertificateErrors/ShowAndPossiblySend/SRTPromptFieldTrial/On/SafeBrowsingReportPhishingErrorLink/Enabled/SafeBrowsingUnverifiedDownloads/DisableByParameterExe/SafeBrowsingUpdateFrequency/UpdateTime15m/SdchPersistence/Enabled/*SettingsEnforcement/enforce_always_with_extensions_and_dse/SpdyEnableDependencies/Enable/StrictSecureCookies/Enabled/SyncHttpContentCompression/Enabled/TabSyncByRecency/Enabled/*TriggeredResetFieldTrial/On/UseDelayAgnosticAEC/DefaultEnabled/VarationsServiceControl/Interval_30min/WebFontsIntervention/Enabled/WebRTC-LocalIPPermissionCheck/Enabled/WebRTC-PeerConnectionDTLS1.2/Enabled/ --user-data-dir="C:\Users\Admin\AppData\Local\Slither.io\User Data" --nwjs --extension-process --enable-webrtc-hw-h264-encoding --disable-client-side-phishing-detection --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=1 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553 --channel="608.2.457814438\1209075205" /prefetch:1
  2⤵
  PID:812
- C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\Slither.exe
  "C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\Slither.exe" --type=utility --channel="608.3.671921034\1658069767" --lang=en-US --no-sandbox --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Slither.io\User Data" /prefetch:8
  2⤵
  PID:320
- C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\Slither.exe
  "C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\Slither.exe" --type=utility --channel="608.4.470372482\244299776" --lang=en-US --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Slither.io\User Data" /prefetch:8
  2⤵
  PID:1584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Crashpad\settings.dat

Filesize
40B

MD5
7a306d1c5b9b2b9ebf43f468c389c534

SHA1
3bde0d24b8e8a9de1b19f97f8d3e84a7bfdfce2a

SHA256
d52ab39de6faebfc7f8f5682fa152b3f02612219bab2888f420c894d42aaedb8

SHA512
2a06ab3023329a320eca45c1a82deb4bc02548829563df70355e0e6d74da1c6ed56b6d8c3d8f60bab5aefc5516b44ad7203ad3a3f97dd7715d81837223d4621c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\debug.log

Filesize
271B

MD5
0e452dd42582aed72c89e43d81a46e4b

SHA1
8236c8aaae9b8836cc77e74aa5eefb375598d0a9

SHA256
af61f63072f16f9111812b412a4e52b4abb7949993c4ad4a9e3fbebd9fabde1b

SHA512
5a24f70621188285c6ecb4c8f2c53941e5934568ecfba2a05fe3576af29e464a8d7d96700e2743b1b5506812d815b4557de463d9ccb048b7bfeffe6c2847b688

Download Submit
C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\debug.log

Filesize
351B

MD5
cc2c2fbd4287998e8d692eb32cc54ef8

SHA1
c4607170a1a91b43a6c6b8c0dacb0a8c375db8fc

SHA256
9c3f243b54fac4e874c53a49a0f1c7ec2008f1f4d2e04400541eeb717753cea5

SHA512
ebcbf49fcde309fbb7449e6b2ecb301cb396c021bdeaa8c860b1989936014d4689fa44c8e26c058d1998e8bf16d19e172a84fb345f874258ac2d3dabff9cffcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\debug.log

Filesize
431B

MD5
85bc2296c2c563045fb7346e719e93e6

SHA1
4a4d4e4356e8888d4a176b68a47dfc052ff26b19

SHA256
11666d26f5a32540e8708dd8f9c1fe0ea94cada1c43bb73df237957c06338097

SHA512
b110eedf63b4aa0fb607d8eac595b5857825b4e175eb76396e421d04129f64b63e1d28d4a323c009942d976fd219899e72d6765f5b227006c4a59b7ef81e7698

Download Submit
memory/608-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download