Analysis
-
max time kernel
135s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05/05/2023, 20:59
Static task
static1
Behavioral task
behavioral1
Sample
swiftremittance.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
swiftremittance.exe
Resource
win10v2004-20230220-en
General
-
Target
swiftremittance.exe
-
Size
1.1MB
-
MD5
7e542232ec05321a7d1f1a0eb6597b11
-
SHA1
6fe1c3516e286efc108d0dca2f31290e779e753a
-
SHA256
586153476e8cae5ad225cc3e1e033357e2ba4bc75f30bd7923afddc21c96b0da
-
SHA512
6b0fc70891057513471ecf490738dd36ff2d45281b8f910730a28f9d1e41f8455d1515762b2bc6eb57aef2c313716a72b7b8dfb00770d8bdac6892911768c6bb
-
SSDEEP
24576:NTbBv5rUan8Pr1yqBYB6UXmmNxrndGryTBZX:HBjWr0VBBXVdGoBZX
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot1628683147:AAHrCQLe6jCIHNtCV4vrDvX8lcHsoz9HNAA/sendMessage?chat_id=917280008
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 2 IoCs
resource yara_rule behavioral2/memory/452-291-0x0000000000F00000-0x00000000013ED000-memory.dmp family_snakekeylogger behavioral2/memory/452-292-0x0000000000F00000-0x0000000000F26000-memory.dmp family_snakekeylogger -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
resource yara_rule behavioral2/memory/452-291-0x0000000000F00000-0x00000000013ED000-memory.dmp family_stormkitty behavioral2/memory/452-292-0x0000000000F00000-0x0000000000F26000-memory.dmp family_stormkitty -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation swiftremittance.exe Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation wscript.exe -
Executes dropped EXE 1 IoCs
pid Process 3336 resfuhiqr.pif -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jtoh\\RESFUH~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\jtoh\\jsucf.icm" resfuhiqr.pif Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run resfuhiqr.pif -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 22 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3336 set thread context of 452 3336 resfuhiqr.pif 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3336 resfuhiqr.pif 3336 resfuhiqr.pif 3336 resfuhiqr.pif 3336 resfuhiqr.pif 3336 resfuhiqr.pif 3336 resfuhiqr.pif 3336 resfuhiqr.pif 3336 resfuhiqr.pif 3336 resfuhiqr.pif 3336 resfuhiqr.pif 3336 resfuhiqr.pif 3336 resfuhiqr.pif 452 RegSvcs.exe 452 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 452 RegSvcs.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4388 wrote to memory of 3296 4388 swiftremittance.exe 83 PID 4388 wrote to memory of 3296 4388 swiftremittance.exe 83 PID 4388 wrote to memory of 3296 4388 swiftremittance.exe 83 PID 3296 wrote to memory of 3336 3296 wscript.exe 84 PID 3296 wrote to memory of 3336 3296 wscript.exe 84 PID 3296 wrote to memory of 3336 3296 wscript.exe 84 PID 3336 wrote to memory of 452 3336 resfuhiqr.pif 89 PID 3336 wrote to memory of 452 3336 resfuhiqr.pif 89 PID 3336 wrote to memory of 452 3336 resfuhiqr.pif 89 PID 3336 wrote to memory of 452 3336 resfuhiqr.pif 89 PID 3336 wrote to memory of 452 3336 resfuhiqr.pif 89 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\swiftremittance.exe"C:\Users\Admin\AppData\Local\Temp\swiftremittance.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" Update-xq.d.vbe2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Users\Admin\AppData\Local\Temp\jtoh\resfuhiqr.pif"C:\Users\Admin\AppData\Local\Temp\jtoh\resfuhiqr.pif" jsucf.icm3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:452
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5743186e2e46af964d096e5d2d40247b5
SHA17fded1da804f83f9f51c9f232631b09bab92e73e
SHA2560099c0836a5fc46336620114aba4420ccaa69dc2c56e4105e9721709c39fe6ab
SHA5128c6b22afa2dbbc90608ea6e2fe5640e8e8016080e6a6496f2b2233e67e33f2fd5b1f79ee9de30948385d6862b8a9d694ee3a9f7e62148fa647eb09dc9bd2317e
-
Filesize
38KB
MD575b87ae9c3b5d2c986183f0d38007ac3
SHA1263954040985fcef2c3f3186745590d9fbac633f
SHA2563e85737ab64e22b1f0681d5cc42de62726d481cee496e4258c13a99ce7c84ec4
SHA51261069b666b3c2660933fc9bd37e14024213a8978a1e015bb0436801bec0a95325ed194fb0c2a20d5dad7ccdef12d84d21273f63bd8afbdf683316054b3801667
-
Filesize
95.6MB
MD596540b9a1157f012a74526d438d24cbe
SHA1bd9b5579d0ff3d1ec81c0ccfb408c89cf9ab9abc
SHA25655d10a38268b28a067f3e55d110ed58e0574133928732ede76fb35878715cec9
SHA5125f717fb76af9aa0d9a2822fc304be644127333060212d6d54b49c28c8c1605e3dd71d825cd0b3d50071928ff65b38d0bfc1dddf73231bce426ce6900173256c1
-
Filesize
1.2MB
MD5d08467871656edc79c1dfe974d91c450
SHA1226105367ba3663becdde32280b1714fdcacebcb
SHA2560323b0cbc6726d09c091163fa80885b93d91ece8394cbad0bb87e4e38a756798
SHA512fcb659bd06031e6b3b3b0c03620aeb8a526c6eae6f17db717dd4703a3edc98e8392a5e8118c47db52933c05e2f8fe0cc3eb747f85ff0f0a910bf6142ccbb2fa7
-
Filesize
1.2MB
MD5d08467871656edc79c1dfe974d91c450
SHA1226105367ba3663becdde32280b1714fdcacebcb
SHA2560323b0cbc6726d09c091163fa80885b93d91ece8394cbad0bb87e4e38a756798
SHA512fcb659bd06031e6b3b3b0c03620aeb8a526c6eae6f17db717dd4703a3edc98e8392a5e8118c47db52933c05e2f8fe0cc3eb747f85ff0f0a910bf6142ccbb2fa7
-
Filesize
218KB
MD5299a8961aadeb97da2e90ea58eff7909
SHA152a3201d09b853250cae1beb26c7dc14456f3cc6
SHA25603a35f43c89f967387006eaaacfcb7411ad698268bc7b1c9a56b2f6b0d4c30d9
SHA512d26359612c6cda72961a9769363aa94b310bc56099e3680dab3a521db17201935df8603c3199ce76db553877a937863de53d8cbbb4e792b1da52ab50a16143c5