Analysis
-
max time kernel
143s -
max time network
115s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
02-06-2023 09:16
Static task
static1
Behavioral task
behavioral1
Sample
4589098654345SK.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
4589098654345SK.exe
Resource
win10v2004-20230220-en
General
-
Target
4589098654345SK.exe
-
Size
270KB
-
MD5
67fc49b3cb7052507170c6d58da57e7d
-
SHA1
68b373cf1c9977d53c655f5dd8246e3d4546b1b3
-
SHA256
5f4d2798e71ac2cd0315a6d1ed4c5fcb51d445bdf60a574d51ca673b90172780
-
SHA512
ca5a20352a08d81e66db30718f507195a52e108d625ab0b0d78a0c757a587f271e17fc61988cbe1d25987bf147f0b36b44a76fda1c4d9a2dbc07ee682b334821
-
SSDEEP
6144:PYa6sVyBOAJdgdGJ2xoxxOSmqu8G+UCYKZBYeGqZYjVNDm2TcVkUBm:PYW2OEleBsu8QCYKjCq6jVNDmpS
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1200-62-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral1/memory/1200-64-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral1/memory/1200-65-0x00000000003E0000-0x0000000000406000-memory.dmp family_snakekeylogger behavioral1/memory/1200-66-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger -
Loads dropped DLL 1 IoCs
Processes:
4589098654345SK.exepid process 1116 4589098654345SK.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
4589098654345SK.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 4589098654345SK.exe Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 4589098654345SK.exe Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 4589098654345SK.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
4589098654345SK.exedescription pid process target process PID 1116 set thread context of 1200 1116 4589098654345SK.exe 4589098654345SK.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
4589098654345SK.exepid process 1200 4589098654345SK.exe 1200 4589098654345SK.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
4589098654345SK.exepid process 1116 4589098654345SK.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
4589098654345SK.exedescription pid process Token: SeDebugPrivilege 1200 4589098654345SK.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
4589098654345SK.exedescription pid process target process PID 1116 wrote to memory of 1200 1116 4589098654345SK.exe 4589098654345SK.exe PID 1116 wrote to memory of 1200 1116 4589098654345SK.exe 4589098654345SK.exe PID 1116 wrote to memory of 1200 1116 4589098654345SK.exe 4589098654345SK.exe PID 1116 wrote to memory of 1200 1116 4589098654345SK.exe 4589098654345SK.exe PID 1116 wrote to memory of 1200 1116 4589098654345SK.exe 4589098654345SK.exe -
outlook_office_path 1 IoCs
Processes:
4589098654345SK.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 4589098654345SK.exe -
outlook_win_path 1 IoCs
Processes:
4589098654345SK.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 4589098654345SK.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4589098654345SK.exe"C:\Users\Admin\AppData\Local\Temp\4589098654345SK.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4589098654345SK.exe"C:\Users\Admin\AppData\Local\Temp\4589098654345SK.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nso8098.tmp\kbxvlys.dllFilesize
84KB
MD5de58963eb520c52e33193991aa71ea6f
SHA1dd9aa1975005a15988ea6233a89596b828447bdb
SHA256e800149c8398a9728ce3f52e32f4d26aa995715e1e79d16226d992d8aaa58e95
SHA512e6ee7f74222584bfba6ec6c222865693ce0102ab757c420de85e0abd8192b67824ee4744a56658735be652bbba39f5a60a1370146431a55b80e149840623e2be
-
\Users\Admin\AppData\Local\Temp\nso8098.tmp\kbxvlys.dllFilesize
84KB
MD5de58963eb520c52e33193991aa71ea6f
SHA1dd9aa1975005a15988ea6233a89596b828447bdb
SHA256e800149c8398a9728ce3f52e32f4d26aa995715e1e79d16226d992d8aaa58e95
SHA512e6ee7f74222584bfba6ec6c222865693ce0102ab757c420de85e0abd8192b67824ee4744a56658735be652bbba39f5a60a1370146431a55b80e149840623e2be
-
memory/1200-62-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/1200-64-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/1200-65-0x00000000003E0000-0x0000000000406000-memory.dmpFilesize
152KB
-
memory/1200-66-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/1200-67-0x0000000002040000-0x0000000002080000-memory.dmpFilesize
256KB