Overview

overview

10

Static

static

3

06875699.exe

windows7-x64

10

06875699.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-06-2023 16:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    06875699.exe

  • Size

    1.4MB

  • MD5

    c618ea88580dc6cf97c2fee2cd8d8bc5

  • SHA1

    f995cadb36e461cee8c47fecc1c3efba8943c6da

  • SHA256

    b2e76f7da4513cd15aa3846c9a40fa3cb20c60635befebef6efe543f16079912

  • SHA512

    8af32d570a66d4869e3dbfe939ba6b15ec57392e1c433274670a85fda144953db9c17a3d1958b63beaa2b2f3069c6b6f16284f8709bfb6b89b65c12f9e965372

  • SSDEEP

    24576:lTbBv5rUFcDYfTPmHkhj63zSBsPMQQO6ZNqmSEF9SvXeMi0j8x+B5A4d7UGOQ8OR:PBHuTOHkl6jCsPMQQZcmSvXeMdj8xyxl

Score
10/10
snakekeyloggerstormkittycollectionkeyloggerpersistencespywarestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5553654095:AAFY7fGm3A2NSyoJOWhzq_VfL3zRwqCo4Ow/sendMessage?chat_id=6183982484

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 2 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\06875699.exe
    "C:\Users\Admin\AppData\Local\Temp\06875699.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" nns.vbe
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4732
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ipconfig /release
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5000
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig /release
          4⤵
          • Gathers network information
          PID:4784
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c fxxntm.xls lxriqq.xml
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1568
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\fxxntm.xls
          fxxntm.xls lxriqq.xml
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2084
          • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
            "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
            5⤵
            • Executes dropped EXE
            • Accesses Microsoft Outlook profiles
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • outlook_office_path
            • outlook_win_path
            PID:3380
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ipconfig /renew
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3888
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig /renew
          4⤵
          • Gathers network information
          PID:3712

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\difpsmm.xml
    Filesize

    37KB

    MD5

    40b98e5eaf0cf026fa2bd1db60c09117

    SHA1

    bd0de580e3f68e83ec0f20c49e8e7f9702dd2dfd

    SHA256

    02f2090c1c186424525be9086da807c182ec694c007f0557ea2c1f635901655e

    SHA512

    8473898b3bf09503daa4bba1e9805bbc1be60e0940ffbd3355fd118c5e60858bee44022f86aa5e18f037dd46e245e50d8a16beb4ef701598f2595c17216802fc

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\fxxntm.xls
    Filesize

    2.5MB

    MD5

    6392f0eda094b2e87a318e710ec0d613

    SHA1

    a011c66bad7d90d306c9a9085f50c5b14f316251

    SHA256

    cf2dbbcef3735e85c2e3c4ee03ad01fe39084da5ad8968961b3e66b98d87d235

    SHA512

    76177f53d8f5d13cefb8834222cc7a976ea4f866129d7dcaa65c3b56f450da8fc8fbee16f38cccb5e02aa4f62d6154f1b2358d881899cd33e8a29171aaa0029d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\lxriqq.xml
    Filesize

    111.1MB

    MD5

    1fcaa9f788f8707f83263b9610907b7b

    SHA1

    1a37c3921ebf5f9e6873d5b1a0dbf1773e2b4a8c

    SHA256

    91b4458d0a2e8e83d5aeecb048984dc8c9c0ed2098e5a63a0ab63c3a427f32cf

    SHA512

    dd42d1a33fb7126f2d7401029ac1ec8d3f5bc88adde1373bdc46e4ce06e9bbc1c642b151502a885b256f2fef40091b1d7258d673c5e17259f3d79acac6330a19

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\nkks.jvx
    Filesize

    216KB

    MD5

    abb2f5e3e20291edb57e01be346b0e21

    SHA1

    ce269857ead41a1de24c2576c85e5923d22be6ee

    SHA256

    f9f3b57977b57f23740be41dc42dc5357a52198dbf133ebd0c5d25a635fc82c0

    SHA512

    6a3552118d439192c8770fd4cef43f62fb0b93a58a5b4f66cdaf280941a2d670547d73a88bb0c3a70fe0c20e0f12bcbc75115b4c900a71dc7a1e9849c301986b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\nns.vbe
    Filesize

    50KB

    MD5

    88f21be067ebb0b24c8fe546a86cedd9

    SHA1

    2b35d21faa58c47680226abd23bd42992035b8c8

    SHA256

    e4edbb0d323a07e151b6134ef3739aac32a917a5e07a257bff1f992846a7058d

    SHA512

    c515eed973954f0cebe389e0a6f526e10af4033289f83c60bbb2748b932793c637736016675988717278ab9dc9cd8d2e9935e61b2d1d69782afc16261d27a83e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    Filesize

    44KB

    MD5

    9d352bc46709f0cb5ec974633a0c3c94

    SHA1

    1969771b2f022f9a86d77ac4d4d239becdf08d07

    SHA256

    2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

    SHA512

    13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    Filesize

    44KB

    MD5

    9d352bc46709f0cb5ec974633a0c3c94

    SHA1

    1969771b2f022f9a86d77ac4d4d239becdf08d07

    SHA256

    2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

    SHA512

    13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

    Download Submit
  • memory/3380-283-0x0000000001300000-0x00000000019FF000-memory.dmp
    Filesize

    7.0MB

    Download
  • memory/3380-286-0x0000000001300000-0x0000000001326000-memory.dmp
    Filesize

    152KB

    Download
  • memory/3380-287-0x00000000066A0000-0x0000000006C44000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3380-288-0x0000000005FD0000-0x000000000606C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/3380-289-0x00000000062A0000-0x00000000062B0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3380-290-0x00000000062A0000-0x00000000062B0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3380-291-0x00000000074F0000-0x0000000007582000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3380-292-0x0000000007790000-0x000000000779A000-memory.dmp
    Filesize

    40KB

    Download