3c90b3d32f3fe37632edfad2b768cf77d70e7de0d3291d0e5274ea8a7dc69141

Analysis

max time kernel
144s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2023, 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Slither x32y 64/Slither.exe
Size

1.1MB
MD5

8b6e003d671e43521c29e447c3c7e270
SHA1

b6019a010a50bca81b8d3baeb5516fde6397f44d
SHA256

0930fd18d2ab158561841531784ae14f7681020e01320239ef0603bab1db4b30
SHA512

26cad28f330201fe6471d2016f8aab66e7e18acf423b1c616fa1be5db8cf6c198d63db4b9584c3f6051fcd59b29b97e63ab37e6ddd548933ad174b2bfa2cc613
SSDEEP

24576:RhbjXbCjgIv4An+9LPiG0WBliA/DKZvCbD1gG5:fbXCj6AWPiY2A/DKZabRj5

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Slither.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4604	Slither.exe
4604	Slither.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4604	Slither.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 1436	4604	Slither.exe	80
PID 4604 wrote to memory of 1436	4604	Slither.exe	80
PID 4604 wrote to memory of 1436	4604	Slither.exe	80
PID 4604 wrote to memory of 3960	4604	Slither.exe	84
PID 4604 wrote to memory of 3960	4604	Slither.exe	84
PID 4604 wrote to memory of 3960	4604	Slither.exe	84
PID 4604 wrote to memory of 5108	4604	Slither.exe	85
PID 4604 wrote to memory of 5108	4604	Slither.exe	85
PID 4604 wrote to memory of 5108	4604	Slither.exe	85
PID 4604 wrote to memory of 3616	4604	Slither.exe	86
PID 4604 wrote to memory of 3616	4604	Slither.exe	86
PID 4604 wrote to memory of 3616	4604	Slither.exe	86
PID 4604 wrote to memory of 4448	4604	Slither.exe	88
PID 4604 wrote to memory of 4448	4604	Slither.exe	88
PID 4604 wrote to memory of 4448	4604	Slither.exe	88
PID 4604 wrote to memory of 3032	4604	Slither.exe	93
PID 4604 wrote to memory of 3032	4604	Slither.exe	93
PID 4604 wrote to memory of 3032	4604	Slither.exe	93

C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\Slither.exe
"C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\Slither.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\Slither.exe
  "C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\Slither.exe" --type=crashpad-handler /prefetch:7 --no-rate-limit --database=C:\Users\Admin\AppData\Local\Crashpad --annotation=channel= --annotation=plat=Win32 --annotation=prod=nwjs --annotation=ver=-devel --handshake-handle=0x1e0
  2⤵
  PID:1436
- C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\Slither.exe
  "C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\Slither.exe" --type=gpu-process --channel="4604.0.2087959170\1840773368" --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Slither.io\User Data" --disable-breakpad --supports-dual-gpus=false --gpu-driver-bug-workarounds=3,11,25,54 --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor=Microsoft --gpu-driver-version=10.0.19041.868 --user-data-dir="C:\Users\Admin\AppData\Local\Slither.io\User Data" /prefetch:2
  2⤵
  PID:3960
- C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\Slither.exe
  "C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\Slither.exe" --type=utility --channel="4604.1.1818182238\1127255955" --lang=en-US --no-sandbox --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Slither.io\User Data" /prefetch:8
  2⤵
  PID:5108
- C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\Slither.exe
  "C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\Slither.exe" --type=renderer --no-sandbox --enable-features=AutomaticTabDiscarding<AutomaticTabDiscarding --lang=en-US --force-fieldtrials=*AsyncSetAsDefault/Enabled/AutofillClassifier/Enabled/AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/*AutomaticTabDiscarding/Enabled_Once/*BrowserBlacklist/Enabled/CaptivePortalInterstitial/Enabled/ChildAccountDetection/Disabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DataReductionProxyConfigService/Enabled/EnableGoogleCachedCopyTextExperiment/Button/EnableSessionCrashedBubbleUI/Enabled/*ExtensionActionRedesign/Enabled/ExtensionContentVerification/Enforce/ExtensionInstallVerification/Enforce/GoogleNow/Enable/IconNTP/Default/InstanceID/Enabled/IntelligentSessionRestore/Enabled/MaterialDesignDownloads/Enabled/*NetworkQualityEstimator/Enabled/*NewProfileManagement/Enabled/PasswordBranding/SmartLockBrandingSavePromptOnly/PasswordGeneration/Disabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/ReportCertificateErrors/ShowAndPossiblySend/SRTPromptFieldTrial/On/SafeBrowsingReportPhishingErrorLink/Enabled/SafeBrowsingUnverifiedDownloads/DisableByParameterExe/SafeBrowsingUpdateFrequency/UpdateTime15m/SdchPersistence/Enabled/*SettingsEnforcement/enforce_always_with_extensions_and_dse/SpdyEnableDependencies/Enable/StrictSecureCookies/Enabled/SyncHttpContentCompression/Enabled/TabSyncByRecency/Enabled/*TriggeredResetFieldTrial/On/UseDelayAgnosticAEC/DefaultEnabled/VarationsServiceControl/Interval_30min/WebFontsIntervention/Enabled/WebRTC-LocalIPPermissionCheck/Enabled/WebRTC-PeerConnectionDTLS1.2/Enabled/ --user-data-dir="C:\Users\Admin\AppData\Local\Slither.io\User Data" --nwjs --extension-process --enable-webrtc-hw-h264-encoding --disable-client-side-phishing-detection --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553 --channel="4604.2.1710230512\1169204639" /prefetch:1
  2⤵
  PID:3616
- C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\Slither.exe
  "C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\Slither.exe" --type=utility --channel="4604.3.1805491493\935313884" --lang=en-US --no-sandbox --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Slither.io\User Data" /prefetch:8
  2⤵
  PID:4448
- C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\Slither.exe
  "C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\Slither.exe" --type=utility --channel="4604.4.828598132\68389865" --lang=en-US --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Slither.io\User Data" /prefetch:8
  2⤵
  PID:3032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Crashpad\settings.dat

Filesize
40B

MD5
758a4fb54fcea2f76d7e615340cc54ce

SHA1
94d8cf55c626b457aee5f76758066bf2615c4695

SHA256
acee5a9462b1793fdba470a3ca68740fa51ea96de0efa5e5a1686ac5a87c86bc

SHA512
c4c7069f517792d3358afca66e24f7cb314443d55e667c8405c43618c2d131f96a509d05061a802fd310ef1ca92e377054bfc2cc408c71329961ed817c401a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\debug.log

Filesize
271B

MD5
f3d81cae65f7f1e316792ad1df92891e

SHA1
6b41cab5c0889c669a61224c2ba87334b143e12c

SHA256
3b5e8f828ca83fa7b1196c8885a0607ac048dba512e089bf1c2aea2dd9bcfe07

SHA512
f8569cc905e03a5de7f0a693fde1a53a87d8804de357ee0790f6aad04d2960aedb7128674197745ab01d17bf1a915f90fdc1f0da1f1b1bd4d29bd13e242da226

Download Submit
C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\debug.log

Filesize
351B

MD5
49b0f207140b9c27cf46aa62523a8529

SHA1
57d2b2d4bcc3a8745ef16697978058cf9175d3ce

SHA256
5ef41b86dad8a782ffb9e7e9c18207561e88f93e22ddfa6b6765bf5ffe447c95

SHA512
5347b023dedfd3f7a6fd232edea87dcfd0e631ef2224d2b62ca69d67a7ab217131679ddbe6aecce2691cc86560023a0e7f2afa0b6a1b31250327715eef2ee245

Download Submit
C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\debug.log

Filesize
431B

MD5
c9542035137930d0db185e1c5ffe4701

SHA1
79d06e8b17a2736133edec956864693454decd9f

SHA256
996242d52739b9c19f1ab90ff27ef9483fe041c46bc1f5bf90e1a9058223d74c

SHA512
8527670fade4800f8084ca8846be722b11d35be18d429924b413cbcbdefe1b4008c2c66dce218420051c017c2f4bc97f644c48ecb0ab45ed64d24c91eca46d26

Download Submit