Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2023 16:45
Static task
static1
Behavioral task
behavioral1
Sample
06875699.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
06875699.exe
Resource
win10v2004-20230220-en
General
-
Target
06875699.exe
-
Size
1.4MB
-
MD5
c618ea88580dc6cf97c2fee2cd8d8bc5
-
SHA1
f995cadb36e461cee8c47fecc1c3efba8943c6da
-
SHA256
b2e76f7da4513cd15aa3846c9a40fa3cb20c60635befebef6efe543f16079912
-
SHA512
8af32d570a66d4869e3dbfe939ba6b15ec57392e1c433274670a85fda144953db9c17a3d1958b63beaa2b2f3069c6b6f16284f8709bfb6b89b65c12f9e965372
-
SSDEEP
24576:lTbBv5rUFcDYfTPmHkhj63zSBsPMQQO6ZNqmSEF9SvXeMi0j8x+B5A4d7UGOQ8OR:PBHuTOHkl6jCsPMQQZcmSvXeMdj8xyxl
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5553654095:AAFY7fGm3A2NSyoJOWhzq_VfL3zRwqCo4Ow/sendMessage?chat_id=6183982484
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3380-283-0x0000000001300000-0x00000000019FF000-memory.dmp family_snakekeylogger behavioral2/memory/3380-286-0x0000000001300000-0x0000000001326000-memory.dmp family_snakekeylogger -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3380-283-0x0000000001300000-0x00000000019FF000-memory.dmp family_stormkitty behavioral2/memory/3380-286-0x0000000001300000-0x0000000001326000-memory.dmp family_stormkitty -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
06875699.exewscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation 06875699.exe Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation wscript.exe -
Executes dropped EXE 2 IoCs
Processes:
fxxntm.xlsRegSvcs.exepid process 2084 fxxntm.xls 3380 RegSvcs.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
fxxntm.xlsdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run fxxntm.xls Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "0\\qatm\\fxxntm.xls 0\\qatm\\lxriqq.xml" fxxntm.xls -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 30 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fxxntm.xlsdescription pid process target process PID 2084 set thread context of 3380 2084 fxxntm.xls RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exepid process 4784 ipconfig.exe 3712 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 3380 RegSvcs.exe 3380 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 3380 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 3380 RegSvcs.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
06875699.exewscript.execmd.execmd.execmd.exefxxntm.xlsdescription pid process target process PID 2552 wrote to memory of 4732 2552 06875699.exe wscript.exe PID 2552 wrote to memory of 4732 2552 06875699.exe wscript.exe PID 2552 wrote to memory of 4732 2552 06875699.exe wscript.exe PID 4732 wrote to memory of 5000 4732 wscript.exe cmd.exe PID 4732 wrote to memory of 5000 4732 wscript.exe cmd.exe PID 4732 wrote to memory of 5000 4732 wscript.exe cmd.exe PID 4732 wrote to memory of 1568 4732 wscript.exe cmd.exe PID 4732 wrote to memory of 1568 4732 wscript.exe cmd.exe PID 4732 wrote to memory of 1568 4732 wscript.exe cmd.exe PID 5000 wrote to memory of 4784 5000 cmd.exe ipconfig.exe PID 5000 wrote to memory of 4784 5000 cmd.exe ipconfig.exe PID 5000 wrote to memory of 4784 5000 cmd.exe ipconfig.exe PID 1568 wrote to memory of 2084 1568 cmd.exe fxxntm.xls PID 1568 wrote to memory of 2084 1568 cmd.exe fxxntm.xls PID 1568 wrote to memory of 2084 1568 cmd.exe fxxntm.xls PID 4732 wrote to memory of 3888 4732 wscript.exe cmd.exe PID 4732 wrote to memory of 3888 4732 wscript.exe cmd.exe PID 4732 wrote to memory of 3888 4732 wscript.exe cmd.exe PID 3888 wrote to memory of 3712 3888 cmd.exe ipconfig.exe PID 3888 wrote to memory of 3712 3888 cmd.exe ipconfig.exe PID 3888 wrote to memory of 3712 3888 cmd.exe ipconfig.exe PID 2084 wrote to memory of 3380 2084 fxxntm.xls RegSvcs.exe PID 2084 wrote to memory of 3380 2084 fxxntm.xls RegSvcs.exe PID 2084 wrote to memory of 3380 2084 fxxntm.xls RegSvcs.exe PID 2084 wrote to memory of 3380 2084 fxxntm.xls RegSvcs.exe PID 2084 wrote to memory of 3380 2084 fxxntm.xls RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\06875699.exe"C:\Users\Admin\AppData\Local\Temp\06875699.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" nns.vbe2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /release4⤵
- Gathers network information
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c fxxntm.xls lxriqq.xml3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fxxntm.xlsfxxntm.xls lxriqq.xml4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /renew3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew4⤵
- Gathers network information
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\difpsmm.xmlFilesize
37KB
MD540b98e5eaf0cf026fa2bd1db60c09117
SHA1bd0de580e3f68e83ec0f20c49e8e7f9702dd2dfd
SHA25602f2090c1c186424525be9086da807c182ec694c007f0557ea2c1f635901655e
SHA5128473898b3bf09503daa4bba1e9805bbc1be60e0940ffbd3355fd118c5e60858bee44022f86aa5e18f037dd46e245e50d8a16beb4ef701598f2595c17216802fc
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fxxntm.xlsFilesize
2.5MB
MD56392f0eda094b2e87a318e710ec0d613
SHA1a011c66bad7d90d306c9a9085f50c5b14f316251
SHA256cf2dbbcef3735e85c2e3c4ee03ad01fe39084da5ad8968961b3e66b98d87d235
SHA51276177f53d8f5d13cefb8834222cc7a976ea4f866129d7dcaa65c3b56f450da8fc8fbee16f38cccb5e02aa4f62d6154f1b2358d881899cd33e8a29171aaa0029d
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lxriqq.xmlFilesize
111.1MB
MD51fcaa9f788f8707f83263b9610907b7b
SHA11a37c3921ebf5f9e6873d5b1a0dbf1773e2b4a8c
SHA25691b4458d0a2e8e83d5aeecb048984dc8c9c0ed2098e5a63a0ab63c3a427f32cf
SHA512dd42d1a33fb7126f2d7401029ac1ec8d3f5bc88adde1373bdc46e4ce06e9bbc1c642b151502a885b256f2fef40091b1d7258d673c5e17259f3d79acac6330a19
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\nkks.jvxFilesize
216KB
MD5abb2f5e3e20291edb57e01be346b0e21
SHA1ce269857ead41a1de24c2576c85e5923d22be6ee
SHA256f9f3b57977b57f23740be41dc42dc5357a52198dbf133ebd0c5d25a635fc82c0
SHA5126a3552118d439192c8770fd4cef43f62fb0b93a58a5b4f66cdaf280941a2d670547d73a88bb0c3a70fe0c20e0f12bcbc75115b4c900a71dc7a1e9849c301986b
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\nns.vbeFilesize
50KB
MD588f21be067ebb0b24c8fe546a86cedd9
SHA12b35d21faa58c47680226abd23bd42992035b8c8
SHA256e4edbb0d323a07e151b6134ef3739aac32a917a5e07a257bff1f992846a7058d
SHA512c515eed973954f0cebe389e0a6f526e10af4033289f83c60bbb2748b932793c637736016675988717278ab9dc9cd8d2e9935e61b2d1d69782afc16261d27a83e
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
memory/3380-283-0x0000000001300000-0x00000000019FF000-memory.dmpFilesize
7.0MB
-
memory/3380-286-0x0000000001300000-0x0000000001326000-memory.dmpFilesize
152KB
-
memory/3380-287-0x00000000066A0000-0x0000000006C44000-memory.dmpFilesize
5.6MB
-
memory/3380-288-0x0000000005FD0000-0x000000000606C000-memory.dmpFilesize
624KB
-
memory/3380-289-0x00000000062A0000-0x00000000062B0000-memory.dmpFilesize
64KB
-
memory/3380-290-0x00000000062A0000-0x00000000062B0000-memory.dmpFilesize
64KB
-
memory/3380-291-0x00000000074F0000-0x0000000007582000-memory.dmpFilesize
584KB
-
memory/3380-292-0x0000000007790000-0x000000000779A000-memory.dmpFilesize
40KB