Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
10-02-2023 10:09
Static task
static1
Behavioral task
behavioral1
Sample
BELL210 AND ALLOUETTE III.js
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
BELL210 AND ALLOUETTE III.js
Resource
win10v2004-20220901-en
General
-
Target
BELL210 AND ALLOUETTE III.js
-
Size
8.8MB
-
MD5
dfb37335684d81ea565f5281c9a799e4
-
SHA1
ba58fc83b2a10b111c6db6ae31ee03cfd201b8fc
-
SHA256
e5a333dae12ac8664bcc0bd12b991ec8095256e4aaf15f6afeb5b014e70146ed
-
SHA512
e055886a61b86402a3ed136fa33bda70106b6904e4c2b4a6b1f685923c281f2f1a66ee1dea0f589f7b0de52498d40b56825a892c09effbbabd527bd72825433b
-
SSDEEP
3072:AiePnmJZBc9hVWQlxlclBwd0PGGGUSJREQX4ULG9LbuewHVP3eJuR0RfuzkQYhsY:V
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5958393772:AAGyX-afxRqNUOVdPT528XtfkgekWKm1kNE/sendMessage?chat_id=1407227065
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 8 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\DUTYGRACE1.exe family_snakekeylogger C:\Users\Admin\AppData\Roaming\DUTYGRACE1.exe family_snakekeylogger behavioral1/memory/536-60-0x00000000003D0000-0x00000000003F6000-memory.dmp family_snakekeylogger \Users\Admin\AppData\Roaming\DUTYGRACE1.exe family_snakekeylogger \Users\Admin\AppData\Roaming\DUTYGRACE1.exe family_snakekeylogger \Users\Admin\AppData\Roaming\DUTYGRACE1.exe family_snakekeylogger \Users\Admin\AppData\Roaming\DUTYGRACE1.exe family_snakekeylogger \Users\Admin\AppData\Roaming\DUTYGRACE1.exe family_snakekeylogger -
Blocklisted process makes network request 15 IoCs
Processes:
wscript.exeflow pid process 5 1064 wscript.exe 8 1064 wscript.exe 9 1064 wscript.exe 11 1064 wscript.exe 13 1064 wscript.exe 14 1064 wscript.exe 16 1064 wscript.exe 17 1064 wscript.exe 18 1064 wscript.exe 20 1064 wscript.exe 21 1064 wscript.exe 22 1064 wscript.exe 24 1064 wscript.exe 25 1064 wscript.exe 26 1064 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QBFewEVTLk.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QBFewEVTLk.js wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
DUTYGRACE1.exepid process 536 DUTYGRACE1.exe -
Loads dropped DLL 5 IoCs
Processes:
WerFault.exepid process 1980 WerFault.exe 1980 WerFault.exe 1980 WerFault.exe 1980 WerFault.exe 1980 WerFault.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 checkip.dyndns.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1980 536 WerFault.exe DUTYGRACE1.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
DUTYGRACE1.exepid process 536 DUTYGRACE1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
DUTYGRACE1.exedescription pid process Token: SeDebugPrivilege 536 DUTYGRACE1.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
wscript.exeDUTYGRACE1.exedescription pid process target process PID 1284 wrote to memory of 1064 1284 wscript.exe wscript.exe PID 1284 wrote to memory of 1064 1284 wscript.exe wscript.exe PID 1284 wrote to memory of 1064 1284 wscript.exe wscript.exe PID 1284 wrote to memory of 536 1284 wscript.exe DUTYGRACE1.exe PID 1284 wrote to memory of 536 1284 wscript.exe DUTYGRACE1.exe PID 1284 wrote to memory of 536 1284 wscript.exe DUTYGRACE1.exe PID 1284 wrote to memory of 536 1284 wscript.exe DUTYGRACE1.exe PID 536 wrote to memory of 1980 536 DUTYGRACE1.exe WerFault.exe PID 536 wrote to memory of 1980 536 DUTYGRACE1.exe WerFault.exe PID 536 wrote to memory of 1980 536 DUTYGRACE1.exe WerFault.exe PID 536 wrote to memory of 1980 536 DUTYGRACE1.exe WerFault.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\BELL210 AND ALLOUETTE III.js"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\QBFewEVTLk.js"2⤵
- Blocklisted process makes network request
- Drops startup file
-
C:\Users\Admin\AppData\Roaming\DUTYGRACE1.exe"C:\Users\Admin\AppData\Roaming\DUTYGRACE1.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 11043⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\DUTYGRACE1.exeFilesize
127KB
MD50f6feb76652ce94eb9f69ca25996ff0c
SHA130aef62f9aeff234e5a751bb7bcdd91f90edbefb
SHA2562b73794839ef377a2a8bc67263a2b706cec30ac5d90cdf372ee2eaeeb0eb4bc7
SHA512910c17a265a8ce17c6f4798fd70be17cc2089e9b84435e408ed6886cee3b699013b27d42d3a91eddb0c9acb648f1b0f3f4c1521bdaa1cf63f7454349d100da62
-
C:\Users\Admin\AppData\Roaming\DUTYGRACE1.exeFilesize
127KB
MD50f6feb76652ce94eb9f69ca25996ff0c
SHA130aef62f9aeff234e5a751bb7bcdd91f90edbefb
SHA2562b73794839ef377a2a8bc67263a2b706cec30ac5d90cdf372ee2eaeeb0eb4bc7
SHA512910c17a265a8ce17c6f4798fd70be17cc2089e9b84435e408ed6886cee3b699013b27d42d3a91eddb0c9acb648f1b0f3f4c1521bdaa1cf63f7454349d100da62
-
C:\Users\Admin\AppData\Roaming\QBFewEVTLk.jsFilesize
1.1MB
MD5893f41a7e7737649381e8f4992a1dff6
SHA12b3c8f5cd84b1f4ef28568fe9b45ed5f86144ab4
SHA25671ace751f1e01a97aa5fef9ac924d0f2c6aeb7b1788d25ea47e069b13c0b85a3
SHA5121145852ccc47ba5f608fbb771b01623cb2dd74d64a34e0cd8e29647fa3c34f8bbaa456c29d0fe906aa85899fd8d2eae46fb32e65e9e11586c1e11bfd9944834f
-
\Users\Admin\AppData\Roaming\DUTYGRACE1.exeFilesize
127KB
MD50f6feb76652ce94eb9f69ca25996ff0c
SHA130aef62f9aeff234e5a751bb7bcdd91f90edbefb
SHA2562b73794839ef377a2a8bc67263a2b706cec30ac5d90cdf372ee2eaeeb0eb4bc7
SHA512910c17a265a8ce17c6f4798fd70be17cc2089e9b84435e408ed6886cee3b699013b27d42d3a91eddb0c9acb648f1b0f3f4c1521bdaa1cf63f7454349d100da62
-
\Users\Admin\AppData\Roaming\DUTYGRACE1.exeFilesize
127KB
MD50f6feb76652ce94eb9f69ca25996ff0c
SHA130aef62f9aeff234e5a751bb7bcdd91f90edbefb
SHA2562b73794839ef377a2a8bc67263a2b706cec30ac5d90cdf372ee2eaeeb0eb4bc7
SHA512910c17a265a8ce17c6f4798fd70be17cc2089e9b84435e408ed6886cee3b699013b27d42d3a91eddb0c9acb648f1b0f3f4c1521bdaa1cf63f7454349d100da62
-
\Users\Admin\AppData\Roaming\DUTYGRACE1.exeFilesize
127KB
MD50f6feb76652ce94eb9f69ca25996ff0c
SHA130aef62f9aeff234e5a751bb7bcdd91f90edbefb
SHA2562b73794839ef377a2a8bc67263a2b706cec30ac5d90cdf372ee2eaeeb0eb4bc7
SHA512910c17a265a8ce17c6f4798fd70be17cc2089e9b84435e408ed6886cee3b699013b27d42d3a91eddb0c9acb648f1b0f3f4c1521bdaa1cf63f7454349d100da62
-
\Users\Admin\AppData\Roaming\DUTYGRACE1.exeFilesize
127KB
MD50f6feb76652ce94eb9f69ca25996ff0c
SHA130aef62f9aeff234e5a751bb7bcdd91f90edbefb
SHA2562b73794839ef377a2a8bc67263a2b706cec30ac5d90cdf372ee2eaeeb0eb4bc7
SHA512910c17a265a8ce17c6f4798fd70be17cc2089e9b84435e408ed6886cee3b699013b27d42d3a91eddb0c9acb648f1b0f3f4c1521bdaa1cf63f7454349d100da62
-
\Users\Admin\AppData\Roaming\DUTYGRACE1.exeFilesize
127KB
MD50f6feb76652ce94eb9f69ca25996ff0c
SHA130aef62f9aeff234e5a751bb7bcdd91f90edbefb
SHA2562b73794839ef377a2a8bc67263a2b706cec30ac5d90cdf372ee2eaeeb0eb4bc7
SHA512910c17a265a8ce17c6f4798fd70be17cc2089e9b84435e408ed6886cee3b699013b27d42d3a91eddb0c9acb648f1b0f3f4c1521bdaa1cf63f7454349d100da62
-
memory/536-57-0x0000000000000000-mapping.dmp
-
memory/536-60-0x00000000003D0000-0x00000000003F6000-memory.dmpFilesize
152KB
-
memory/536-62-0x0000000075931000-0x0000000075933000-memory.dmpFilesize
8KB
-
memory/1064-55-0x0000000000000000-mapping.dmp
-
memory/1284-54-0x000007FEFB621000-0x000007FEFB623000-memory.dmpFilesize
8KB
-
memory/1980-63-0x0000000000000000-mapping.dmp