Analysis
-
max time kernel
88s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05/05/2023, 21:01
Static task
static1
Behavioral task
behavioral1
Sample
VESSELDETAILS.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
VESSELDETAILS.exe
Resource
win10v2004-20230220-en
General
-
Target
VESSELDETAILS.exe
-
Size
541KB
-
MD5
51bb2cd3a440b03b8f3395668bb7ed44
-
SHA1
de675a2e334b5d1c30f52184cb1b2c7c9e071656
-
SHA256
799ad2554344216d192896a517536862c2435f054182bb8e468f6dd9f15f3e33
-
SHA512
c4cec2ad5033e5639b33b8291c6ce8cf2bb520568d222b653abd14ff100f0cc7b102b1f1d2d9ce72a8e85b15defa7e891d18e0559c447efcc00a3a4186342c61
-
SSDEEP
12288:VOhXGPstv/uHCuBHzmZ5i7TzVx0vq60btUP+2wuZ9Cb6rh:GXGrxk5iwq60btW7//h
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5923227859:AAEYo__DCK9GpHPQHPaQXx_5mU4DPDQb_xs/sendMessage?chat_id=1965959123
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 7 IoCs
resource yara_rule behavioral1/memory/1860-75-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1860-77-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1860-73-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1860-71-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1860-70-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1860-78-0x0000000004A40000-0x0000000004A80000-memory.dmp family_snakekeylogger behavioral1/memory/1860-79-0x0000000004A40000-0x0000000004A80000-memory.dmp family_snakekeylogger -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 7 IoCs
resource yara_rule behavioral1/memory/1860-75-0x0000000000400000-0x0000000000426000-memory.dmp family_stormkitty behavioral1/memory/1860-77-0x0000000000400000-0x0000000000426000-memory.dmp family_stormkitty behavioral1/memory/1860-73-0x0000000000400000-0x0000000000426000-memory.dmp family_stormkitty behavioral1/memory/1860-71-0x0000000000400000-0x0000000000426000-memory.dmp family_stormkitty behavioral1/memory/1860-70-0x0000000000400000-0x0000000000426000-memory.dmp family_stormkitty behavioral1/memory/1860-78-0x0000000004A40000-0x0000000004A80000-memory.dmp family_stormkitty behavioral1/memory/1860-79-0x0000000004A40000-0x0000000004A80000-memory.dmp family_stormkitty -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 VESSELDETAILS.exe Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 VESSELDETAILS.exe Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 VESSELDETAILS.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1768 set thread context of 1860 1768 VESSELDETAILS.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1248 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1768 VESSELDETAILS.exe 1768 VESSELDETAILS.exe 1860 VESSELDETAILS.exe 468 powershell.exe 1860 VESSELDETAILS.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1768 VESSELDETAILS.exe Token: SeDebugPrivilege 1860 VESSELDETAILS.exe Token: SeDebugPrivilege 468 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1768 wrote to memory of 468 1768 VESSELDETAILS.exe 31 PID 1768 wrote to memory of 468 1768 VESSELDETAILS.exe 31 PID 1768 wrote to memory of 468 1768 VESSELDETAILS.exe 31 PID 1768 wrote to memory of 468 1768 VESSELDETAILS.exe 31 PID 1768 wrote to memory of 1248 1768 VESSELDETAILS.exe 28 PID 1768 wrote to memory of 1248 1768 VESSELDETAILS.exe 28 PID 1768 wrote to memory of 1248 1768 VESSELDETAILS.exe 28 PID 1768 wrote to memory of 1248 1768 VESSELDETAILS.exe 28 PID 1768 wrote to memory of 1860 1768 VESSELDETAILS.exe 32 PID 1768 wrote to memory of 1860 1768 VESSELDETAILS.exe 32 PID 1768 wrote to memory of 1860 1768 VESSELDETAILS.exe 32 PID 1768 wrote to memory of 1860 1768 VESSELDETAILS.exe 32 PID 1768 wrote to memory of 1860 1768 VESSELDETAILS.exe 32 PID 1768 wrote to memory of 1860 1768 VESSELDETAILS.exe 32 PID 1768 wrote to memory of 1860 1768 VESSELDETAILS.exe 32 PID 1768 wrote to memory of 1860 1768 VESSELDETAILS.exe 32 PID 1768 wrote to memory of 1860 1768 VESSELDETAILS.exe 32 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 VESSELDETAILS.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 VESSELDETAILS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe"C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xTXuqPdjAiGmQt" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC256.tmp"2⤵
- Creates scheduled task(s)
PID:1248
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xTXuqPdjAiGmQt.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:468
-
-
C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe"C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1860
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52e513d80776316b18b3eacf78aa21a69
SHA13426067d4db8b09ba9bc189ac1f49e4bc1a1ecf8
SHA25693796655cc094767a7007fee50e772c6de53d2032f6750cdc9ed5ffd6adafb9c
SHA512e47b4824076bb52f775fca69014b77a6fa2c911194697a9d426776a47014fa58c5cbb8efa838dec195758250f4d2015e6a52e0a03c4b98d7abea7d401dfee59b