Analysis
-
max time kernel
142s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2023 06:29
Static task
static1
Behavioral task
behavioral1
Sample
f1a4fd0ba166dd905af0029c7f759f23c52481e050fa067d4a8ac6866d71090d.exe
Resource
win10v2004-20230220-en
General
-
Target
f1a4fd0ba166dd905af0029c7f759f23c52481e050fa067d4a8ac6866d71090d.exe
-
Size
284KB
-
MD5
3d5458f26b59708a5d0da5567189aa41
-
SHA1
826bcb30b6bb04c549caf271b447710b015e316f
-
SHA256
f1a4fd0ba166dd905af0029c7f759f23c52481e050fa067d4a8ac6866d71090d
-
SHA512
205741a7c70a90bdaf955c083d65a54776fa62b1af6714ecd902a0c5f9b3fbc804675d96e582b35990b18f5b22ac78d3e050ac2496b8d4512a350b8cbb9dd465
-
SSDEEP
6144:vYa6clQizg+ll2N9cdRVmBuYiqOhhePDmRq3KvFAq+q9Wi:vYa9DlUcdFqOhAPa3A1q9Wi
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/3292-145-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral1/memory/3292-143-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral1/memory/3292-141-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral1/memory/3292-149-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral1/memory/3292-152-0x0000000004A70000-0x0000000004A80000-memory.dmp family_snakekeylogger behavioral1/memory/3292-160-0x0000000004A70000-0x0000000004A80000-memory.dmp family_snakekeylogger -
Executes dropped EXE 2 IoCs
Processes:
fzutvwnon.exefzutvwnon.exepid process 2376 fzutvwnon.exe 3292 fzutvwnon.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
fzutvwnon.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 fzutvwnon.exe Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 fzutvwnon.exe Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 fzutvwnon.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fzutvwnon.exedescription pid process target process PID 2376 set thread context of 3292 2376 fzutvwnon.exe fzutvwnon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
fzutvwnon.exepid process 3292 fzutvwnon.exe 3292 fzutvwnon.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
fzutvwnon.exepid process 2376 fzutvwnon.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
fzutvwnon.exedescription pid process Token: SeDebugPrivilege 3292 fzutvwnon.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
f1a4fd0ba166dd905af0029c7f759f23c52481e050fa067d4a8ac6866d71090d.exefzutvwnon.exedescription pid process target process PID 4896 wrote to memory of 2376 4896 f1a4fd0ba166dd905af0029c7f759f23c52481e050fa067d4a8ac6866d71090d.exe fzutvwnon.exe PID 4896 wrote to memory of 2376 4896 f1a4fd0ba166dd905af0029c7f759f23c52481e050fa067d4a8ac6866d71090d.exe fzutvwnon.exe PID 4896 wrote to memory of 2376 4896 f1a4fd0ba166dd905af0029c7f759f23c52481e050fa067d4a8ac6866d71090d.exe fzutvwnon.exe PID 2376 wrote to memory of 3292 2376 fzutvwnon.exe fzutvwnon.exe PID 2376 wrote to memory of 3292 2376 fzutvwnon.exe fzutvwnon.exe PID 2376 wrote to memory of 3292 2376 fzutvwnon.exe fzutvwnon.exe PID 2376 wrote to memory of 3292 2376 fzutvwnon.exe fzutvwnon.exe -
outlook_office_path 1 IoCs
Processes:
fzutvwnon.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 fzutvwnon.exe -
outlook_win_path 1 IoCs
Processes:
fzutvwnon.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 fzutvwnon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1a4fd0ba166dd905af0029c7f759f23c52481e050fa067d4a8ac6866d71090d.exe"C:\Users\Admin\AppData\Local\Temp\f1a4fd0ba166dd905af0029c7f759f23c52481e050fa067d4a8ac6866d71090d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fzutvwnon.exe"C:\Users\Admin\AppData\Local\Temp\fzutvwnon.exe" C:\Users\Admin\AppData\Local\Temp\amhfv.r2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fzutvwnon.exe"C:\Users\Admin\AppData\Local\Temp\fzutvwnon.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\amhfv.rFilesize
6KB
MD55385c914ba21e2acd3ed22e8e8cb531d
SHA141af2470ddf143003b0a5e7e30228bb2925053d0
SHA256ed30c27eb637febd67dc4c5ae3714e88f12b0871543d774ae9ce64f4fb4c36fd
SHA5121fa6c8c7dd10ef32882568f157aa410674dd86981205393df30f055fb755d7dc07364016d44e5e636befeb32258020cd16288fac863e6acdca6c00c032ac8238
-
C:\Users\Admin\AppData\Local\Temp\fzutvwnon.exeFilesize
138KB
MD55ae5136cf30b0ac8348fd79052c86b0c
SHA10db2a625e6e7ebdcee5cd3c5cbe583d56bb236ea
SHA256a59f2e2032ab0c2c6ced4498f8d88c50b3a7d677b7cb977fb3fcca6838ebef1e
SHA51286444ede91ad600a9943b1bc42a670d2f2a874c1a99d32fb83c851c219ca23e2f2c1ecc896c295b2af970392cca72d2406ff2a006e7333120308737e61ba76b9
-
C:\Users\Admin\AppData\Local\Temp\fzutvwnon.exeFilesize
138KB
MD55ae5136cf30b0ac8348fd79052c86b0c
SHA10db2a625e6e7ebdcee5cd3c5cbe583d56bb236ea
SHA256a59f2e2032ab0c2c6ced4498f8d88c50b3a7d677b7cb977fb3fcca6838ebef1e
SHA51286444ede91ad600a9943b1bc42a670d2f2a874c1a99d32fb83c851c219ca23e2f2c1ecc896c295b2af970392cca72d2406ff2a006e7333120308737e61ba76b9
-
C:\Users\Admin\AppData\Local\Temp\fzutvwnon.exeFilesize
138KB
MD55ae5136cf30b0ac8348fd79052c86b0c
SHA10db2a625e6e7ebdcee5cd3c5cbe583d56bb236ea
SHA256a59f2e2032ab0c2c6ced4498f8d88c50b3a7d677b7cb977fb3fcca6838ebef1e
SHA51286444ede91ad600a9943b1bc42a670d2f2a874c1a99d32fb83c851c219ca23e2f2c1ecc896c295b2af970392cca72d2406ff2a006e7333120308737e61ba76b9
-
C:\Users\Admin\AppData\Local\Temp\ujutoge.plFilesize
225KB
MD5ac99a9fb725cf4377037eb3a4f9c6990
SHA1015488a0284f3141ee2a22cfff267fa330f07a9f
SHA256dc05a51ed6fde34cb631f3cc1a61762cb165f86e0b8db5f66db455cd8d9ce78c
SHA5124578355428502a2798a252de5c0b70f0a4598902c3be1732fe7c54ae13a4f4f24c3cb72fcf5b04ac5ae3bf7cf00a2280f73135dcbd8dcb4bc315d8ef02ed55dc
-
memory/2376-158-0x00000000006C0000-0x00000000006C2000-memory.dmpFilesize
8KB
-
memory/2376-144-0x00000000006C0000-0x00000000006C2000-memory.dmpFilesize
8KB
-
memory/3292-150-0x0000000004A70000-0x0000000004A80000-memory.dmpFilesize
64KB
-
memory/3292-154-0x0000000005C90000-0x0000000005E52000-memory.dmpFilesize
1.8MB
-
memory/3292-147-0x0000000004A80000-0x0000000005024000-memory.dmpFilesize
5.6MB
-
memory/3292-148-0x0000000004980000-0x0000000004A1C000-memory.dmpFilesize
624KB
-
memory/3292-149-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/3292-143-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/3292-151-0x0000000004A70000-0x0000000004A80000-memory.dmpFilesize
64KB
-
memory/3292-152-0x0000000004A70000-0x0000000004A80000-memory.dmpFilesize
64KB
-
memory/3292-153-0x0000000004A70000-0x0000000004A80000-memory.dmpFilesize
64KB
-
memory/3292-141-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/3292-155-0x0000000005E60000-0x0000000005EF2000-memory.dmpFilesize
584KB
-
memory/3292-156-0x0000000005F70000-0x0000000005F7A000-memory.dmpFilesize
40KB
-
memory/3292-145-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/3292-159-0x0000000004A70000-0x0000000004A80000-memory.dmpFilesize
64KB
-
memory/3292-160-0x0000000004A70000-0x0000000004A80000-memory.dmpFilesize
64KB
-
memory/3292-161-0x0000000004A70000-0x0000000004A80000-memory.dmpFilesize
64KB
-
memory/3292-162-0x0000000004A70000-0x0000000004A80000-memory.dmpFilesize
64KB