Analysis
-
max time kernel
65s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05/05/2023, 20:59
Static task
static1
Behavioral task
behavioral1
Sample
swiftremittance.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
swiftremittance.exe
Resource
win10v2004-20230220-en
General
-
Target
swiftremittance.exe
-
Size
1.1MB
-
MD5
7e542232ec05321a7d1f1a0eb6597b11
-
SHA1
6fe1c3516e286efc108d0dca2f31290e779e753a
-
SHA256
586153476e8cae5ad225cc3e1e033357e2ba4bc75f30bd7923afddc21c96b0da
-
SHA512
6b0fc70891057513471ecf490738dd36ff2d45281b8f910730a28f9d1e41f8455d1515762b2bc6eb57aef2c313716a72b7b8dfb00770d8bdac6892911768c6bb
-
SSDEEP
24576:NTbBv5rUan8Pr1yqBYB6UXmmNxrndGryTBZX:HBjWr0VBBXVdGoBZX
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot1628683147:AAHrCQLe6jCIHNtCV4vrDvX8lcHsoz9HNAA/sendMessage?chat_id=917280008
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 4 IoCs
resource yara_rule behavioral1/memory/1864-215-0x0000000000240000-0x0000000000824000-memory.dmp family_snakekeylogger behavioral1/memory/1864-217-0x0000000000240000-0x0000000000824000-memory.dmp family_snakekeylogger behavioral1/memory/1864-219-0x0000000000240000-0x0000000000824000-memory.dmp family_snakekeylogger behavioral1/memory/1864-220-0x0000000000240000-0x0000000000266000-memory.dmp family_snakekeylogger -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 4 IoCs
resource yara_rule behavioral1/memory/1864-215-0x0000000000240000-0x0000000000824000-memory.dmp family_stormkitty behavioral1/memory/1864-217-0x0000000000240000-0x0000000000824000-memory.dmp family_stormkitty behavioral1/memory/1864-219-0x0000000000240000-0x0000000000824000-memory.dmp family_stormkitty behavioral1/memory/1864-220-0x0000000000240000-0x0000000000266000-memory.dmp family_stormkitty -
Executes dropped EXE 1 IoCs
pid Process 1428 resfuhiqr.pif -
Loads dropped DLL 1 IoCs
pid Process 1608 wscript.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run resfuhiqr.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jtoh\\RESFUH~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\jtoh\\jsucf.icm" resfuhiqr.pif -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1428 set thread context of 1864 1428 resfuhiqr.pif 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1428 resfuhiqr.pif 1428 resfuhiqr.pif 1428 resfuhiqr.pif 1428 resfuhiqr.pif 1428 resfuhiqr.pif 1428 resfuhiqr.pif 1864 RegSvcs.exe 1864 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1864 RegSvcs.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1336 wrote to memory of 1608 1336 swiftremittance.exe 27 PID 1336 wrote to memory of 1608 1336 swiftremittance.exe 27 PID 1336 wrote to memory of 1608 1336 swiftremittance.exe 27 PID 1336 wrote to memory of 1608 1336 swiftremittance.exe 27 PID 1608 wrote to memory of 1428 1608 wscript.exe 28 PID 1608 wrote to memory of 1428 1608 wscript.exe 28 PID 1608 wrote to memory of 1428 1608 wscript.exe 28 PID 1608 wrote to memory of 1428 1608 wscript.exe 28 PID 1428 wrote to memory of 1864 1428 resfuhiqr.pif 29 PID 1428 wrote to memory of 1864 1428 resfuhiqr.pif 29 PID 1428 wrote to memory of 1864 1428 resfuhiqr.pif 29 PID 1428 wrote to memory of 1864 1428 resfuhiqr.pif 29 PID 1428 wrote to memory of 1864 1428 resfuhiqr.pif 29 PID 1428 wrote to memory of 1864 1428 resfuhiqr.pif 29 PID 1428 wrote to memory of 1864 1428 resfuhiqr.pif 29 PID 1428 wrote to memory of 1864 1428 resfuhiqr.pif 29 PID 1428 wrote to memory of 1864 1428 resfuhiqr.pif 29 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\swiftremittance.exe"C:\Users\Admin\AppData\Local\Temp\swiftremittance.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" Update-xq.d.vbe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\jtoh\resfuhiqr.pif"C:\Users\Admin\AppData\Local\Temp\jtoh\resfuhiqr.pif" jsucf.icm3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1864
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5743186e2e46af964d096e5d2d40247b5
SHA17fded1da804f83f9f51c9f232631b09bab92e73e
SHA2560099c0836a5fc46336620114aba4420ccaa69dc2c56e4105e9721709c39fe6ab
SHA5128c6b22afa2dbbc90608ea6e2fe5640e8e8016080e6a6496f2b2233e67e33f2fd5b1f79ee9de30948385d6862b8a9d694ee3a9f7e62148fa647eb09dc9bd2317e
-
Filesize
38KB
MD575b87ae9c3b5d2c986183f0d38007ac3
SHA1263954040985fcef2c3f3186745590d9fbac633f
SHA2563e85737ab64e22b1f0681d5cc42de62726d481cee496e4258c13a99ce7c84ec4
SHA51261069b666b3c2660933fc9bd37e14024213a8978a1e015bb0436801bec0a95325ed194fb0c2a20d5dad7ccdef12d84d21273f63bd8afbdf683316054b3801667
-
Filesize
95.6MB
MD596540b9a1157f012a74526d438d24cbe
SHA1bd9b5579d0ff3d1ec81c0ccfb408c89cf9ab9abc
SHA25655d10a38268b28a067f3e55d110ed58e0574133928732ede76fb35878715cec9
SHA5125f717fb76af9aa0d9a2822fc304be644127333060212d6d54b49c28c8c1605e3dd71d825cd0b3d50071928ff65b38d0bfc1dddf73231bce426ce6900173256c1
-
Filesize
1.2MB
MD5d08467871656edc79c1dfe974d91c450
SHA1226105367ba3663becdde32280b1714fdcacebcb
SHA2560323b0cbc6726d09c091163fa80885b93d91ece8394cbad0bb87e4e38a756798
SHA512fcb659bd06031e6b3b3b0c03620aeb8a526c6eae6f17db717dd4703a3edc98e8392a5e8118c47db52933c05e2f8fe0cc3eb747f85ff0f0a910bf6142ccbb2fa7
-
Filesize
1.2MB
MD5d08467871656edc79c1dfe974d91c450
SHA1226105367ba3663becdde32280b1714fdcacebcb
SHA2560323b0cbc6726d09c091163fa80885b93d91ece8394cbad0bb87e4e38a756798
SHA512fcb659bd06031e6b3b3b0c03620aeb8a526c6eae6f17db717dd4703a3edc98e8392a5e8118c47db52933c05e2f8fe0cc3eb747f85ff0f0a910bf6142ccbb2fa7
-
Filesize
218KB
MD5299a8961aadeb97da2e90ea58eff7909
SHA152a3201d09b853250cae1beb26c7dc14456f3cc6
SHA25603a35f43c89f967387006eaaacfcb7411ad698268bc7b1c9a56b2f6b0d4c30d9
SHA512d26359612c6cda72961a9769363aa94b310bc56099e3680dab3a521db17201935df8603c3199ce76db553877a937863de53d8cbbb4e792b1da52ab50a16143c5
-
Filesize
1.2MB
MD5d08467871656edc79c1dfe974d91c450
SHA1226105367ba3663becdde32280b1714fdcacebcb
SHA2560323b0cbc6726d09c091163fa80885b93d91ece8394cbad0bb87e4e38a756798
SHA512fcb659bd06031e6b3b3b0c03620aeb8a526c6eae6f17db717dd4703a3edc98e8392a5e8118c47db52933c05e2f8fe0cc3eb747f85ff0f0a910bf6142ccbb2fa7