Analysis
-
max time kernel
81s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
27-03-2023 13:29
General
-
Target
MSDS.exe
-
Size
757KB
-
MD5
384a95dec71c1e1ed31fdc9ad73a2cc9
-
SHA1
2a8ac435a88370321fed8c1b926c2a0776432390
-
SHA256
85ba590703be8d34e03c30174d9998a460e19344f4fadcd85e964a7f3d8a03e3
-
SHA512
9f7e80ae4ae33cdd7c35cf4c1da08640cd83156628a9f8222fe58884366b79e42cad4798826076506ad2aa3fff3462ef0c577e52f955baec453807e8fde49297
-
SSDEEP
12288:FA5CB0OOJBefPNJSigcqFEVSKyZXV+U2KhMLKnVexXXEnMuI0jtARUiIMso+aSrp:FA5aIJBefPn66vIMZLKnYXVuyRHa1D
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
valleycountysar.org - Port:
26 - Username:
[email protected] - Password:
}eQA)VL2!$V}
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 6 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\MSDS.exe"C:\Users\Admin\AppData\Local\Temp\MSDS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qjpslZJuuhF.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qjpslZJuuhF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBF98.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\MSDS.exe"C:\Users\Admin\AppData\Local\Temp\MSDS.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\MSDS.exe"C:\Users\Admin\AppData\Local\Temp\MSDS.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5743c91dc72946770bcc84f3aeb6868f1
SHA1e17dfd072da70b8a4a006287b3984744ce0887b8
SHA256e168dd2584cbe5752c62ff43cbf8feb590c94d8af79c7958bd643eca11a8187a
SHA512b112ccaeff4c6608e5b3f7975740cd95034f7f115960e7963a7467205db137673986d2b6e338187e68ae2944b0b5c3d8e4c23ed0937c6afb77c08d7151f24903
-
Filesize
4KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
256KB
-
Filesize
648KB
-
Filesize
160KB
-
Filesize
128KB
-
Filesize
776KB
-
Filesize
256KB
-
Filesize
48KB
-
Filesize
256KB