Analysis
-
max time kernel
68s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
28-03-2023 09:29
Static task
static1
Behavioral task
behavioral1
Sample
Signed po_000165.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Signed po_000165.exe
Resource
win10v2004-20230220-en
General
-
Target
Signed po_000165.exe
-
Size
1.1MB
-
MD5
c125d39a5c36ceb3561c38c86c0f74ff
-
SHA1
ee54939ec90d947049e2be343de7c42f9472df02
-
SHA256
1bd8f3260eef97220ff4fbf88e4e4005832becf5a74742c2bd2fbf542e446972
-
SHA512
a5cdd216d6cb680c3415b88c9bc4c2accec6301f6d38c57d81d14bad74c1cfb9b5605b4384f095b3375bb03a90f3591eb5a79900c47defd5e2d5665f8af43d35
-
SSDEEP
24576:vA5QvV9xxFzUYAMTZ8Mysn3HeFD8UW4Uw6ATp1wUb1QiD:Y5cxD4VCLyk3ev5p6A8x8
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.muktaaspa.com - Port:
587 - Username:
inquiry@muktaaspa.com - Password:
%!G&w4007t]O
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1692-67-0x0000000000400000-0x000000000047C000-memory.dmp family_snakekeylogger behavioral1/memory/1692-68-0x0000000000400000-0x000000000047C000-memory.dmp family_snakekeylogger behavioral1/memory/1692-70-0x0000000000400000-0x000000000047C000-memory.dmp family_snakekeylogger behavioral1/memory/1692-72-0x0000000000400000-0x000000000047C000-memory.dmp family_snakekeylogger behavioral1/memory/1692-74-0x0000000000400000-0x000000000047C000-memory.dmp family_snakekeylogger behavioral1/memory/1576-77-0x0000000002460000-0x00000000024A0000-memory.dmp family_snakekeylogger -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Signed po_000165.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Signed po_000165.exe Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Signed po_000165.exe Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Signed po_000165.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Signed po_000165.exedescription pid process target process PID 1524 set thread context of 1692 1524 Signed po_000165.exe Signed po_000165.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Signed po_000165.exeSigned po_000165.exepowershell.exepid process 1524 Signed po_000165.exe 1524 Signed po_000165.exe 1692 Signed po_000165.exe 1576 powershell.exe 1692 Signed po_000165.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Signed po_000165.exeSigned po_000165.exepowershell.exedescription pid process Token: SeDebugPrivilege 1524 Signed po_000165.exe Token: SeDebugPrivilege 1692 Signed po_000165.exe Token: SeDebugPrivilege 1576 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Signed po_000165.exedescription pid process target process PID 1524 wrote to memory of 1576 1524 Signed po_000165.exe powershell.exe PID 1524 wrote to memory of 1576 1524 Signed po_000165.exe powershell.exe PID 1524 wrote to memory of 1576 1524 Signed po_000165.exe powershell.exe PID 1524 wrote to memory of 1576 1524 Signed po_000165.exe powershell.exe PID 1524 wrote to memory of 728 1524 Signed po_000165.exe schtasks.exe PID 1524 wrote to memory of 728 1524 Signed po_000165.exe schtasks.exe PID 1524 wrote to memory of 728 1524 Signed po_000165.exe schtasks.exe PID 1524 wrote to memory of 728 1524 Signed po_000165.exe schtasks.exe PID 1524 wrote to memory of 1692 1524 Signed po_000165.exe Signed po_000165.exe PID 1524 wrote to memory of 1692 1524 Signed po_000165.exe Signed po_000165.exe PID 1524 wrote to memory of 1692 1524 Signed po_000165.exe Signed po_000165.exe PID 1524 wrote to memory of 1692 1524 Signed po_000165.exe Signed po_000165.exe PID 1524 wrote to memory of 1692 1524 Signed po_000165.exe Signed po_000165.exe PID 1524 wrote to memory of 1692 1524 Signed po_000165.exe Signed po_000165.exe PID 1524 wrote to memory of 1692 1524 Signed po_000165.exe Signed po_000165.exe PID 1524 wrote to memory of 1692 1524 Signed po_000165.exe Signed po_000165.exe PID 1524 wrote to memory of 1692 1524 Signed po_000165.exe Signed po_000165.exe -
outlook_office_path 1 IoCs
Processes:
Signed po_000165.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Signed po_000165.exe -
outlook_win_path 1 IoCs
Processes:
Signed po_000165.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Signed po_000165.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Signed po_000165.exe"C:\Users\Admin\AppData\Local\Temp\Signed po_000165.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FUzeyuwl.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FUzeyuwl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp199A.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Signed po_000165.exe"C:\Users\Admin\AppData\Local\Temp\Signed po_000165.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp199A.tmpFilesize
1KB
MD555828ce541600a018b905caa87e5b747
SHA1777e7513339556e6f25141afcb7c1909382af886
SHA2562b86a2ddbcb25acc605685a0327bc1469372dd147c8dfc95ef807d68a6a35480
SHA512a5171cf4b99208a55115da0ff986c1956b2ff1ab0e485231ec6cdf48292365823b1ac581e55f55c7dd7a7ed0b1a4cd4c7b857c2635b69a249a0c01040471b08e
-
memory/1524-55-0x0000000002190000-0x00000000021D0000-memory.dmpFilesize
256KB
-
memory/1524-56-0x0000000000580000-0x00000000005A0000-memory.dmpFilesize
128KB
-
memory/1524-57-0x00000000005B0000-0x00000000005BC000-memory.dmpFilesize
48KB
-
memory/1524-58-0x00000000058C0000-0x00000000059B8000-memory.dmpFilesize
992KB
-
memory/1524-64-0x0000000005CA0000-0x0000000005D20000-memory.dmpFilesize
512KB
-
memory/1524-54-0x0000000000150000-0x000000000026C000-memory.dmpFilesize
1.1MB
-
memory/1576-77-0x0000000002460000-0x00000000024A0000-memory.dmpFilesize
256KB
-
memory/1576-78-0x0000000002460000-0x00000000024A0000-memory.dmpFilesize
256KB
-
memory/1692-66-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/1692-68-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/1692-69-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1692-70-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/1692-72-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/1692-74-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/1692-67-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/1692-65-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/1692-79-0x00000000003B0000-0x00000000003BA000-memory.dmpFilesize
40KB
-
memory/1692-80-0x0000000004480000-0x00000000044E6000-memory.dmpFilesize
408KB