Analysis
-
max time kernel
141s -
max time network
112s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
28-03-2023 06:14
Static task
static1
Behavioral task
behavioral1
Sample
INV-00289202.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
INV-00289202.exe
Resource
win10v2004-20230221-en
General
-
Target
INV-00289202.exe
-
Size
289KB
-
MD5
5a1cdfd26e4afd8433348e47b287882c
-
SHA1
af031bb897a71ce50907c77e2fc7518c60c80598
-
SHA256
3355b6fac696f3aad246fd34404a407dd9a7945f540537ec695bb1cb75c337c0
-
SHA512
009d9eba87e13a9b4db8ee043dbc3ac3565add30a86b7b926b911a773d6d2817a9525e9fceb5b6e330b849ebf1a0f22fb992b58a111e5833224e57ac375b853c
-
SSDEEP
6144:bYa6/lP1OjJvVJMdhINFE/MWfwfQJwwxCNfqp+a0meiesqRIvVzcc:bYllPkjVVOdhINFBk1wobvMoD
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot6180860165:AAH5meoxRqYOnd7z0M_zkiqQ7pmOf_hbrUY/sendMessage?chat_id=6077046490
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2016-68-0x0000000000400000-0x0000000000438000-memory.dmp family_snakekeylogger behavioral1/memory/2016-71-0x0000000000400000-0x0000000000438000-memory.dmp family_snakekeylogger behavioral1/memory/2016-73-0x0000000000400000-0x0000000000438000-memory.dmp family_snakekeylogger behavioral1/memory/2016-74-0x0000000000310000-0x0000000000336000-memory.dmp family_snakekeylogger -
Executes dropped EXE 2 IoCs
Processes:
llsyrx.exellsyrx.exepid process 1172 llsyrx.exe 2016 llsyrx.exe -
Loads dropped DLL 3 IoCs
Processes:
INV-00289202.exellsyrx.exepid process 1964 INV-00289202.exe 1964 INV-00289202.exe 1172 llsyrx.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
llsyrx.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 llsyrx.exe Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 llsyrx.exe Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 llsyrx.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
llsyrx.exedescription pid process target process PID 1172 set thread context of 2016 1172 llsyrx.exe llsyrx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
llsyrx.exepid process 2016 llsyrx.exe 2016 llsyrx.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
llsyrx.exepid process 1172 llsyrx.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
llsyrx.exedescription pid process Token: SeDebugPrivilege 2016 llsyrx.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
INV-00289202.exellsyrx.exedescription pid process target process PID 1964 wrote to memory of 1172 1964 INV-00289202.exe llsyrx.exe PID 1964 wrote to memory of 1172 1964 INV-00289202.exe llsyrx.exe PID 1964 wrote to memory of 1172 1964 INV-00289202.exe llsyrx.exe PID 1964 wrote to memory of 1172 1964 INV-00289202.exe llsyrx.exe PID 1172 wrote to memory of 2016 1172 llsyrx.exe llsyrx.exe PID 1172 wrote to memory of 2016 1172 llsyrx.exe llsyrx.exe PID 1172 wrote to memory of 2016 1172 llsyrx.exe llsyrx.exe PID 1172 wrote to memory of 2016 1172 llsyrx.exe llsyrx.exe PID 1172 wrote to memory of 2016 1172 llsyrx.exe llsyrx.exe -
outlook_office_path 1 IoCs
Processes:
llsyrx.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 llsyrx.exe -
outlook_win_path 1 IoCs
Processes:
llsyrx.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 llsyrx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INV-00289202.exe"C:\Users\Admin\AppData\Local\Temp\INV-00289202.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\llsyrx.exe"C:\Users\Admin\AppData\Local\Temp\llsyrx.exe" C:\Users\Admin\AppData\Local\Temp\syabbjj.fm2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\llsyrx.exe"C:\Users\Admin\AppData\Local\Temp\llsyrx.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\llsyrx.exeFilesize
138KB
MD5a7c9cd6c62a1716ca58e806e54f18334
SHA1540709b7a784fa31fcfd97a8d32a1963b30c3242
SHA256868d13f01ede10827e66bd49d0ebc7c674d9d860e735660c928358ab48106ccc
SHA51258828ed658ffc4b2a9015924b691d326c5d3d4f61872b2619f84f6db8e53be6d43c79dd97adf87e6fbd108341d0933c934ab5338b9b0f1689b968e4a6d119843
-
C:\Users\Admin\AppData\Local\Temp\llsyrx.exeFilesize
138KB
MD5a7c9cd6c62a1716ca58e806e54f18334
SHA1540709b7a784fa31fcfd97a8d32a1963b30c3242
SHA256868d13f01ede10827e66bd49d0ebc7c674d9d860e735660c928358ab48106ccc
SHA51258828ed658ffc4b2a9015924b691d326c5d3d4f61872b2619f84f6db8e53be6d43c79dd97adf87e6fbd108341d0933c934ab5338b9b0f1689b968e4a6d119843
-
C:\Users\Admin\AppData\Local\Temp\llsyrx.exeFilesize
138KB
MD5a7c9cd6c62a1716ca58e806e54f18334
SHA1540709b7a784fa31fcfd97a8d32a1963b30c3242
SHA256868d13f01ede10827e66bd49d0ebc7c674d9d860e735660c928358ab48106ccc
SHA51258828ed658ffc4b2a9015924b691d326c5d3d4f61872b2619f84f6db8e53be6d43c79dd97adf87e6fbd108341d0933c934ab5338b9b0f1689b968e4a6d119843
-
C:\Users\Admin\AppData\Local\Temp\llsyrx.exeFilesize
138KB
MD5a7c9cd6c62a1716ca58e806e54f18334
SHA1540709b7a784fa31fcfd97a8d32a1963b30c3242
SHA256868d13f01ede10827e66bd49d0ebc7c674d9d860e735660c928358ab48106ccc
SHA51258828ed658ffc4b2a9015924b691d326c5d3d4f61872b2619f84f6db8e53be6d43c79dd97adf87e6fbd108341d0933c934ab5338b9b0f1689b968e4a6d119843
-
C:\Users\Admin\AppData\Local\Temp\syabbjj.fmFilesize
5KB
MD58a49f75711617c9657c9f69f795784f0
SHA100883fd16d7c680e2658c67ea23a2bf362372d1b
SHA2565f6647195b9cba4d3d285b35a27d185d0713fd7a0a1461486bddf45fd232d460
SHA512885853147fc0e3a8a06d677dd6b886e69cacf19abe05b8af96c8b836a4b853b456c0b120d4788b59f20cac5745d649d22e9c55834eef25c3a822c96921b3dd95
-
C:\Users\Admin\AppData\Local\Temp\tbakozui.jqFilesize
226KB
MD513deb5507252ac98885321d334de8e7b
SHA14c424346c8fa251dbe7280597f9dcada68d59835
SHA25626589136a1a4510c48249bd40c77e6ddb8abf3349123acaab72d1a3aee123ab4
SHA5123d6547ebcbc72a2f8e18a3e210f1cbc1ebc424fbb68c22b03c4808a53b4f8647eafb315e5745825e7c372f8ec93e260db281442da06304f511dad9f6b38b0668
-
\Users\Admin\AppData\Local\Temp\llsyrx.exeFilesize
138KB
MD5a7c9cd6c62a1716ca58e806e54f18334
SHA1540709b7a784fa31fcfd97a8d32a1963b30c3242
SHA256868d13f01ede10827e66bd49d0ebc7c674d9d860e735660c928358ab48106ccc
SHA51258828ed658ffc4b2a9015924b691d326c5d3d4f61872b2619f84f6db8e53be6d43c79dd97adf87e6fbd108341d0933c934ab5338b9b0f1689b968e4a6d119843
-
\Users\Admin\AppData\Local\Temp\llsyrx.exeFilesize
138KB
MD5a7c9cd6c62a1716ca58e806e54f18334
SHA1540709b7a784fa31fcfd97a8d32a1963b30c3242
SHA256868d13f01ede10827e66bd49d0ebc7c674d9d860e735660c928358ab48106ccc
SHA51258828ed658ffc4b2a9015924b691d326c5d3d4f61872b2619f84f6db8e53be6d43c79dd97adf87e6fbd108341d0933c934ab5338b9b0f1689b968e4a6d119843
-
\Users\Admin\AppData\Local\Temp\llsyrx.exeFilesize
138KB
MD5a7c9cd6c62a1716ca58e806e54f18334
SHA1540709b7a784fa31fcfd97a8d32a1963b30c3242
SHA256868d13f01ede10827e66bd49d0ebc7c674d9d860e735660c928358ab48106ccc
SHA51258828ed658ffc4b2a9015924b691d326c5d3d4f61872b2619f84f6db8e53be6d43c79dd97adf87e6fbd108341d0933c934ab5338b9b0f1689b968e4a6d119843
-
memory/2016-68-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2016-71-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2016-73-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2016-74-0x0000000000310000-0x0000000000336000-memory.dmpFilesize
152KB
-
memory/2016-75-0x00000000045D0000-0x0000000004610000-memory.dmpFilesize
256KB