Analysis
-
max time kernel
77s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
28-03-2023 06:14
Static task
static1
Behavioral task
behavioral1
Sample
Packing List.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Packing List.exe
Resource
win10v2004-20230220-en
General
-
Target
Packing List.exe
-
Size
751KB
-
MD5
3e2bf9d409ebc43f74591d151aa64d38
-
SHA1
40fc577fddeff678703b4673daa55dbfe657e670
-
SHA256
e6c74fa34990259423123de4dca4a6b1924929ac74b4e0078c702ca2ec05782b
-
SHA512
0e2afe23b4e293b46efd230815557c18c0080fe16e674b2026d7b7ff2e9a0b87cd100d86daf5167b33d665f6a4fb27aa2447c6fc04d1bc568d0a3eb2f5848013
-
SSDEEP
12288:HjKdJVZz5dcKMk5pgPXJ3IclZZekLRafUWIN51YBplnQaacr2rKEKdmBhQFENrCo:HIVZ9qKP5iXRllVRafra5GLNQ7mEK9F
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
valleycountysar.org - Port:
26 - Username:
mbown@valleycountysar.org - Password:
}eQA)VL2!$V}
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1468-69-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1468-70-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1468-72-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1468-74-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1468-76-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Packing List.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Packing List.exe Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Packing List.exe Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Packing List.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Packing List.exedescription pid process target process PID 1084 set thread context of 1468 1084 Packing List.exe Packing List.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Packing List.exePacking List.exepowershell.exepid process 1084 Packing List.exe 1084 Packing List.exe 1468 Packing List.exe 1180 powershell.exe 1468 Packing List.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Packing List.exePacking List.exepowershell.exedescription pid process Token: SeDebugPrivilege 1084 Packing List.exe Token: SeDebugPrivilege 1468 Packing List.exe Token: SeDebugPrivilege 1180 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Packing List.exedescription pid process target process PID 1084 wrote to memory of 1180 1084 Packing List.exe powershell.exe PID 1084 wrote to memory of 1180 1084 Packing List.exe powershell.exe PID 1084 wrote to memory of 1180 1084 Packing List.exe powershell.exe PID 1084 wrote to memory of 1180 1084 Packing List.exe powershell.exe PID 1084 wrote to memory of 1812 1084 Packing List.exe schtasks.exe PID 1084 wrote to memory of 1812 1084 Packing List.exe schtasks.exe PID 1084 wrote to memory of 1812 1084 Packing List.exe schtasks.exe PID 1084 wrote to memory of 1812 1084 Packing List.exe schtasks.exe PID 1084 wrote to memory of 1468 1084 Packing List.exe Packing List.exe PID 1084 wrote to memory of 1468 1084 Packing List.exe Packing List.exe PID 1084 wrote to memory of 1468 1084 Packing List.exe Packing List.exe PID 1084 wrote to memory of 1468 1084 Packing List.exe Packing List.exe PID 1084 wrote to memory of 1468 1084 Packing List.exe Packing List.exe PID 1084 wrote to memory of 1468 1084 Packing List.exe Packing List.exe PID 1084 wrote to memory of 1468 1084 Packing List.exe Packing List.exe PID 1084 wrote to memory of 1468 1084 Packing List.exe Packing List.exe PID 1084 wrote to memory of 1468 1084 Packing List.exe Packing List.exe -
outlook_office_path 1 IoCs
Processes:
Packing List.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Packing List.exe -
outlook_win_path 1 IoCs
Processes:
Packing List.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Packing List.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Packing List.exe"C:\Users\Admin\AppData\Local\Temp\Packing List.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JFayYhgVIm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JFayYhgVIm" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC247.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Packing List.exe"C:\Users\Admin\AppData\Local\Temp\Packing List.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpC247.tmpFilesize
1KB
MD5a473f66429e558a5240479d0bfc3682d
SHA16923d2bff4dbda46b4dbd2ee4efd979717ba7b1e
SHA2566010cc212377d81eb17937e0a6c4452d50b54954f999c02389923b893d63cc61
SHA512589c06bb49d5a759bacca80bd6a11b107d7c926eda17e9ad7c6137e39f12a3c68a006afbe3472ea6b336e3efa8419b59a941c646cbf24f6c2cb6efdda0ed1f0e
-
memory/1084-54-0x00000000008D0000-0x0000000000992000-memory.dmpFilesize
776KB
-
memory/1084-55-0x0000000004B00000-0x0000000004B40000-memory.dmpFilesize
256KB
-
memory/1084-56-0x0000000000330000-0x0000000000350000-memory.dmpFilesize
128KB
-
memory/1084-57-0x0000000000540000-0x000000000054C000-memory.dmpFilesize
48KB
-
memory/1084-58-0x0000000005770000-0x0000000005810000-memory.dmpFilesize
640KB
-
memory/1084-66-0x0000000004A50000-0x0000000004A78000-memory.dmpFilesize
160KB
-
memory/1180-77-0x0000000002730000-0x0000000002770000-memory.dmpFilesize
256KB
-
memory/1468-68-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1468-69-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1468-70-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1468-71-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1468-72-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1468-74-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1468-76-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1468-67-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB