snakekeylogger | 218837a31e5d0be80334b33216d047700a3f0983d847ea6019f5a5e638e69f56

Analysis

max time kernel
68s
max time network
124s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
03/04/2023, 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Drawing.img.exe
Size

841KB
MD5

fae8a94e9d180cb6ebd19baaff00ed22
SHA1

8585bdd94acff8528e2711b2618579001e1581e9
SHA256

218837a31e5d0be80334b33216d047700a3f0983d847ea6019f5a5e638e69f56
SHA512

db7908675325d802402b58a5c70b4670848f94b8be97ca4da55353a455e066bec669c0b695df10558c60d55672b4f6115fb07369406fa8d992077bb839212685
SSDEEP

12288:l5CBWKdq1FbwwJLwrb53qOYfm+E9myYyG8ZFTOwl59+ay2j+DpfwPfdM7m3St5:Ofrpx3qOYfXEkYlvSwl59SDpfiIm3U

Score

10^/10

snakekeylogger collection keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.bk-systems.in
Port:
587
Username:
[email protected]
Password:
unna_149-ooru
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 8 IoCs

resource	yara_rule
behavioral1/memory/316-77-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/316-76-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/316-79-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/316-83-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/284-84-0x0000000002680000-0x00000000026C0000-memory.dmp	family_snakekeylogger
behavioral1/memory/316-81-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/316-86-0x00000000044C0000-0x0000000004500000-memory.dmp	family_snakekeylogger
behavioral1/memory/316-87-0x00000000044C0000-0x0000000004500000-memory.dmp	family_snakekeylogger

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 820 set thread context of 316	820	Drawing.img.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
616	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
820	Drawing.img.exe
820	Drawing.img.exe
820	Drawing.img.exe
820	Drawing.img.exe
820	Drawing.img.exe
1948	powershell.exe
316	RegSvcs.exe
284	powershell.exe
316	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	820	Drawing.img.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	316	RegSvcs.exe
Token: SeDebugPrivilege	284	powershell.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 820 wrote to memory of 284	820	Drawing.img.exe	28
PID 820 wrote to memory of 284	820	Drawing.img.exe	28
PID 820 wrote to memory of 284	820	Drawing.img.exe	28
PID 820 wrote to memory of 284	820	Drawing.img.exe	28
PID 820 wrote to memory of 1948	820	Drawing.img.exe	30
PID 820 wrote to memory of 1948	820	Drawing.img.exe	30
PID 820 wrote to memory of 1948	820	Drawing.img.exe	30
PID 820 wrote to memory of 1948	820	Drawing.img.exe	30
PID 820 wrote to memory of 616	820	Drawing.img.exe	32
PID 820 wrote to memory of 616	820	Drawing.img.exe	32
PID 820 wrote to memory of 616	820	Drawing.img.exe	32
PID 820 wrote to memory of 616	820	Drawing.img.exe	32
PID 820 wrote to memory of 1620	820	Drawing.img.exe	34
PID 820 wrote to memory of 1620	820	Drawing.img.exe	34
PID 820 wrote to memory of 1620	820	Drawing.img.exe	34
PID 820 wrote to memory of 1620	820	Drawing.img.exe	34
PID 820 wrote to memory of 1620	820	Drawing.img.exe	34
PID 820 wrote to memory of 1620	820	Drawing.img.exe	34
PID 820 wrote to memory of 1620	820	Drawing.img.exe	34
PID 820 wrote to memory of 316	820	Drawing.img.exe	35
PID 820 wrote to memory of 316	820	Drawing.img.exe	35
PID 820 wrote to memory of 316	820	Drawing.img.exe	35
PID 820 wrote to memory of 316	820	Drawing.img.exe	35
PID 820 wrote to memory of 316	820	Drawing.img.exe	35
PID 820 wrote to memory of 316	820	Drawing.img.exe	35
PID 820 wrote to memory of 316	820	Drawing.img.exe	35
PID 820 wrote to memory of 316	820	Drawing.img.exe	35
PID 820 wrote to memory of 316	820	Drawing.img.exe	35
PID 820 wrote to memory of 316	820	Drawing.img.exe	35
PID 820 wrote to memory of 316	820	Drawing.img.exe	35
PID 820 wrote to memory of 316	820	Drawing.img.exe	35

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Drawing.img.exe
"C:\Users\Admin\AppData\Local\Temp\Drawing.img.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Drawing.img.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:284
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QYYyhioLPC.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1948
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QYYyhioLPC" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC1AB.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:1620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC1AB.tmp

Filesize
1KB

MD5
ef8ceba8ad770186783dd8949551f335

SHA1
9236a4538e5821177ce3208d12dd16da93fb90d0

SHA256
fe69a0fa7395b72167aca790c1c4b017d459c832a981720b2ca4133aff0cb4d9

SHA512
6755ffbbcfce8623268c317015059d3f051b547867a508f2a5f7c9cc34f51abb561ce390dbfb968c69622d43780e70268ee8f77705376ed8888482d858f0e240

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YJXCEHD8LFX07ACF7TX5.temp

Filesize
7KB

MD5
8916dba030e65b03b79592c1cdb09882

SHA1
6baf6fa3ab73fe7742db8bbaf2aafd890a9942d0

SHA256
1fa932e4b561582e1623f834da5eb4866503d5ab8f3041ef9edad3c8007d97b9

SHA512
d4f8020fc7ca752eabfaa16dc7b48012bcf9bcc62fd7977faa0e167abd9babf022f30a90d7b45403b5c89df2440de10fbe50213e6b7785e6b0c2ef348b689d81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8916dba030e65b03b79592c1cdb09882

SHA1
6baf6fa3ab73fe7742db8bbaf2aafd890a9942d0

SHA256
1fa932e4b561582e1623f834da5eb4866503d5ab8f3041ef9edad3c8007d97b9

SHA512
d4f8020fc7ca752eabfaa16dc7b48012bcf9bcc62fd7977faa0e167abd9babf022f30a90d7b45403b5c89df2440de10fbe50213e6b7785e6b0c2ef348b689d81

Download Submit
memory/284-84-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/316-81-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/316-83-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/316-76-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/316-86-0x00000000044C0000-0x0000000004500000-memory.dmp

Filesize
256KB

Download
memory/316-87-0x00000000044C0000-0x0000000004500000-memory.dmp

Filesize
256KB

Download
memory/316-79-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/316-78-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/316-75-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/316-74-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/316-77-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/820-59-0x00000000044A0000-0x000000000450E000-memory.dmp

Filesize
440KB

Download
memory/820-73-0x00000000022F0000-0x0000000002318000-memory.dmp

Filesize
160KB

Download
memory/820-72-0x0000000002130000-0x0000000002136000-memory.dmp

Filesize
24KB

Download
memory/820-54-0x0000000000970000-0x0000000000A48000-memory.dmp

Filesize
864KB

Download
memory/820-58-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/820-57-0x0000000004E90000-0x0000000004ED0000-memory.dmp

Filesize
256KB

Download
memory/820-56-0x00000000005F0000-0x0000000000604000-memory.dmp

Filesize
80KB

Download
memory/820-55-0x0000000004E90000-0x0000000004ED0000-memory.dmp

Filesize
256KB

Download
memory/1948-85-0x0000000002660000-0x00000000026A0000-memory.dmp

Filesize
256KB

Download