Analysis
-
max time kernel
59s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2023 06:14
Static task
static1
Behavioral task
behavioral1
Sample
Packing List.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Packing List.exe
Resource
win10v2004-20230220-en
General
-
Target
Packing List.exe
-
Size
751KB
-
MD5
3e2bf9d409ebc43f74591d151aa64d38
-
SHA1
40fc577fddeff678703b4673daa55dbfe657e670
-
SHA256
e6c74fa34990259423123de4dca4a6b1924929ac74b4e0078c702ca2ec05782b
-
SHA512
0e2afe23b4e293b46efd230815557c18c0080fe16e674b2026d7b7ff2e9a0b87cd100d86daf5167b33d665f6a4fb27aa2447c6fc04d1bc568d0a3eb2f5848013
-
SSDEEP
12288:HjKdJVZz5dcKMk5pgPXJ3IclZZekLRafUWIN51YBplnQaacr2rKEKdmBhQFENrCo:HIVZ9qKP5iXRllVRafra5GLNQ7mEK9F
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
valleycountysar.org - Port:
26 - Username:
mbown@valleycountysar.org - Password:
}eQA)VL2!$V}
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4608-146-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Packing List.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation Packing List.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Packing List.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Packing List.exe Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Packing List.exe Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Packing List.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 34 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Packing List.exedescription pid process target process PID 2028 set thread context of 4608 2028 Packing List.exe Packing List.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
Packing List.exePacking List.exepowershell.exepid process 2028 Packing List.exe 2028 Packing List.exe 4608 Packing List.exe 2164 powershell.exe 2164 powershell.exe 4608 Packing List.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Packing List.exePacking List.exepowershell.exedescription pid process Token: SeDebugPrivilege 2028 Packing List.exe Token: SeDebugPrivilege 4608 Packing List.exe Token: SeDebugPrivilege 2164 powershell.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Packing List.exedescription pid process target process PID 2028 wrote to memory of 2164 2028 Packing List.exe powershell.exe PID 2028 wrote to memory of 2164 2028 Packing List.exe powershell.exe PID 2028 wrote to memory of 2164 2028 Packing List.exe powershell.exe PID 2028 wrote to memory of 3944 2028 Packing List.exe schtasks.exe PID 2028 wrote to memory of 3944 2028 Packing List.exe schtasks.exe PID 2028 wrote to memory of 3944 2028 Packing List.exe schtasks.exe PID 2028 wrote to memory of 4608 2028 Packing List.exe Packing List.exe PID 2028 wrote to memory of 4608 2028 Packing List.exe Packing List.exe PID 2028 wrote to memory of 4608 2028 Packing List.exe Packing List.exe PID 2028 wrote to memory of 4608 2028 Packing List.exe Packing List.exe PID 2028 wrote to memory of 4608 2028 Packing List.exe Packing List.exe PID 2028 wrote to memory of 4608 2028 Packing List.exe Packing List.exe PID 2028 wrote to memory of 4608 2028 Packing List.exe Packing List.exe PID 2028 wrote to memory of 4608 2028 Packing List.exe Packing List.exe -
outlook_office_path 1 IoCs
Processes:
Packing List.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Packing List.exe -
outlook_win_path 1 IoCs
Processes:
Packing List.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Packing List.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Packing List.exe"C:\Users\Admin\AppData\Local\Temp\Packing List.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JFayYhgVIm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JFayYhgVIm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp39EC.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Packing List.exe"C:\Users\Admin\AppData\Local\Temp\Packing List.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fpifpf0e.nqf.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmp39EC.tmpFilesize
1KB
MD59e74ecbc7640ded14ffbc55b88491811
SHA187a301e035578a8629d63ea9ff13a8e6d1de96cc
SHA256179e6fb1cb0cd16f4098a5a091d6b9e3ab2c4b948adbb3e400800ab6ae1d147f
SHA512107a5f8a10ad363dbd1409ede6ea833e4f8f8577a881db8e846062584fddb04b9959986704f13dc749a43c373ae42a847d84db1f4a41fd3553e2b574fd4753f3
-
memory/2028-134-0x00000000058E0000-0x0000000005E84000-memory.dmpFilesize
5.6MB
-
memory/2028-135-0x0000000005330000-0x00000000053C2000-memory.dmpFilesize
584KB
-
memory/2028-136-0x0000000005300000-0x000000000530A000-memory.dmpFilesize
40KB
-
memory/2028-137-0x0000000005250000-0x0000000005260000-memory.dmpFilesize
64KB
-
memory/2028-138-0x0000000005250000-0x0000000005260000-memory.dmpFilesize
64KB
-
memory/2028-139-0x00000000077A0000-0x000000000783C000-memory.dmpFilesize
624KB
-
memory/2028-133-0x0000000000860000-0x0000000000922000-memory.dmpFilesize
776KB
-
memory/2164-150-0x0000000005B70000-0x0000000005BD6000-memory.dmpFilesize
408KB
-
memory/2164-180-0x00000000075B0000-0x00000000075BA000-memory.dmpFilesize
40KB
-
memory/2164-149-0x0000000005370000-0x0000000005392000-memory.dmpFilesize
136KB
-
memory/2164-157-0x0000000005BE0000-0x0000000005C46000-memory.dmpFilesize
408KB
-
memory/2164-185-0x0000000007860000-0x0000000007868000-memory.dmpFilesize
32KB
-
memory/2164-158-0x0000000002A00000-0x0000000002A10000-memory.dmpFilesize
64KB
-
memory/2164-183-0x0000000007880000-0x000000000789A000-memory.dmpFilesize
104KB
-
memory/2164-144-0x0000000002900000-0x0000000002936000-memory.dmpFilesize
216KB
-
memory/2164-163-0x0000000006230000-0x000000000624E000-memory.dmpFilesize
120KB
-
memory/2164-164-0x0000000006800000-0x0000000006832000-memory.dmpFilesize
200KB
-
memory/2164-165-0x0000000070460000-0x00000000704AC000-memory.dmpFilesize
304KB
-
memory/2164-175-0x00000000067E0000-0x00000000067FE000-memory.dmpFilesize
120KB
-
memory/2164-177-0x000000007FA50000-0x000000007FA60000-memory.dmpFilesize
64KB
-
memory/2164-176-0x0000000002A00000-0x0000000002A10000-memory.dmpFilesize
64KB
-
memory/2164-178-0x0000000007B90000-0x000000000820A000-memory.dmpFilesize
6.5MB
-
memory/2164-179-0x0000000007540000-0x000000000755A000-memory.dmpFilesize
104KB
-
memory/2164-147-0x00000000053D0000-0x00000000059F8000-memory.dmpFilesize
6.2MB
-
memory/2164-181-0x00000000077C0000-0x0000000007856000-memory.dmpFilesize
600KB
-
memory/2164-182-0x0000000007770000-0x000000000777E000-memory.dmpFilesize
56KB
-
memory/4608-184-0x0000000006170000-0x0000000006332000-memory.dmpFilesize
1.8MB
-
memory/4608-156-0x00000000051A0000-0x00000000051B0000-memory.dmpFilesize
64KB
-
memory/4608-146-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/4608-188-0x00000000051A0000-0x00000000051B0000-memory.dmpFilesize
64KB