Analysis

  • max time kernel
    43s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    16/02/2023, 07:26

General

  • Target

    Fatura_SUN2023000003827.exe

  • Size

    448KB

  • MD5

    04cc0750fc2e0ff6e81b4530e940f512

  • SHA1

    82127102bb8725405d9416293fb2496c7c9d8b3e

  • SHA256

    554fcafce29b66cc2dd33cff1e49f7d2c45f4e154c1f08bcb15d5aae3ad4ec1c

  • SHA512

    b14cc7f0dbbc91ca295d80b471ea438854394189bafae9e4a8356674b0fa7cfe0254c0db7dd3181b95227b75d0be1cd63e54c8e4169d13b63379165622a7e07b

  • SSDEEP

    6144:SYa6H/tW0PDPehrAG+7OELO94O7CQDmwv8bi/:SYd/ttLP0ri7OwO9zC4tUa

Malware Config

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

  • Snake Keylogger payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fatura_SUN2023000003827.exe
    "C:\Users\Admin\AppData\Local\Temp\Fatura_SUN2023000003827.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Users\Admin\AppData\Local\Temp\oeysiffsag.exe
      "C:\Users\Admin\AppData\Local\Temp\oeysiffsag.exe" C:\Users\Admin\AppData\Local\Temp\zweecankhi.aur
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1636
      • C:\Users\Admin\AppData\Local\Temp\oeysiffsag.exe
        "C:\Users\Admin\AppData\Local\Temp\oeysiffsag.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1744

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\kcvgvxaauc.r

    Filesize

    225KB

    MD5

    216590d8e7476d6fe755390ab420f9c1

    SHA1

    166a1d87e8c0edad92125eaa044bc2f3bb354447

    SHA256

    674be3f8b419d8bcc1af68d7cd82e649eccd0889a663b1d362ae622f21fd50ee

    SHA512

    cddf38fac64b98cf873046cb2210d6773e25b568803c42f5ad35e926a697b494d556dfd151ae052e23dddf80efe1f5fffb0f44a50af377ddcf18ef1de2ab50be

  • C:\Users\Admin\AppData\Local\Temp\oeysiffsag.exe

    Filesize

    127KB

    MD5

    ccccc8741100aaf54c4e0ae3940b65bc

    SHA1

    1a92fa518ae6600bcb5934eda15f8522958e73f1

    SHA256

    01d659257e1a2a88f1fa4561d691ed7faf07ca0208f5030122aa3cce58c61951

    SHA512

    7ddf1f6e058378131074ee4b83b5182c1a1e9ca9166f4d0b6d7ba48282e1e936276884e0919c7881fa000b7e81ab028ba022f9cf111bd7ffcf0103ef1208edb0

  • C:\Users\Admin\AppData\Local\Temp\oeysiffsag.exe

    Filesize

    127KB

    MD5

    ccccc8741100aaf54c4e0ae3940b65bc

    SHA1

    1a92fa518ae6600bcb5934eda15f8522958e73f1

    SHA256

    01d659257e1a2a88f1fa4561d691ed7faf07ca0208f5030122aa3cce58c61951

    SHA512

    7ddf1f6e058378131074ee4b83b5182c1a1e9ca9166f4d0b6d7ba48282e1e936276884e0919c7881fa000b7e81ab028ba022f9cf111bd7ffcf0103ef1208edb0

  • C:\Users\Admin\AppData\Local\Temp\oeysiffsag.exe

    Filesize

    127KB

    MD5

    ccccc8741100aaf54c4e0ae3940b65bc

    SHA1

    1a92fa518ae6600bcb5934eda15f8522958e73f1

    SHA256

    01d659257e1a2a88f1fa4561d691ed7faf07ca0208f5030122aa3cce58c61951

    SHA512

    7ddf1f6e058378131074ee4b83b5182c1a1e9ca9166f4d0b6d7ba48282e1e936276884e0919c7881fa000b7e81ab028ba022f9cf111bd7ffcf0103ef1208edb0

  • C:\Users\Admin\AppData\Local\Temp\zweecankhi.aur

    Filesize

    7KB

    MD5

    0e71a4312067821413f56ab62591630b

    SHA1

    7024b58142984c1e4f4dabd95f9c0fd5514c0db0

    SHA256

    ada8fd09206e747ba3f12d117d9a352043dd7abcafb4d47c71e1ce5ab6b98d4d

    SHA512

    8e6ff9104ec46bcda8034183269eb22d95aebb17578fa9f1e794327790b995185f0fb7114475081d9a576e094ae0249c431afe537e222ba6f9aca3f795df3a28

  • \Users\Admin\AppData\Local\Temp\oeysiffsag.exe

    Filesize

    127KB

    MD5

    ccccc8741100aaf54c4e0ae3940b65bc

    SHA1

    1a92fa518ae6600bcb5934eda15f8522958e73f1

    SHA256

    01d659257e1a2a88f1fa4561d691ed7faf07ca0208f5030122aa3cce58c61951

    SHA512

    7ddf1f6e058378131074ee4b83b5182c1a1e9ca9166f4d0b6d7ba48282e1e936276884e0919c7881fa000b7e81ab028ba022f9cf111bd7ffcf0103ef1208edb0

  • \Users\Admin\AppData\Local\Temp\oeysiffsag.exe

    Filesize

    127KB

    MD5

    ccccc8741100aaf54c4e0ae3940b65bc

    SHA1

    1a92fa518ae6600bcb5934eda15f8522958e73f1

    SHA256

    01d659257e1a2a88f1fa4561d691ed7faf07ca0208f5030122aa3cce58c61951

    SHA512

    7ddf1f6e058378131074ee4b83b5182c1a1e9ca9166f4d0b6d7ba48282e1e936276884e0919c7881fa000b7e81ab028ba022f9cf111bd7ffcf0103ef1208edb0

  • \Users\Admin\AppData\Local\Temp\oeysiffsag.exe

    Filesize

    127KB

    MD5

    ccccc8741100aaf54c4e0ae3940b65bc

    SHA1

    1a92fa518ae6600bcb5934eda15f8522958e73f1

    SHA256

    01d659257e1a2a88f1fa4561d691ed7faf07ca0208f5030122aa3cce58c61951

    SHA512

    7ddf1f6e058378131074ee4b83b5182c1a1e9ca9166f4d0b6d7ba48282e1e936276884e0919c7881fa000b7e81ab028ba022f9cf111bd7ffcf0103ef1208edb0

  • memory/1744-67-0x00000000002C0000-0x00000000002E6000-memory.dmp

    Filesize

    152KB

  • memory/1744-68-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

  • memory/2016-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

    Filesize

    8KB