Analysis
-
max time kernel
49s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
02-06-2023 14:10
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230220-en
General
-
Target
file.exe
-
Size
390KB
-
MD5
66244fb1118f70553439a5afc47529ac
-
SHA1
68250dcc265970b31d6fed79c008fe0972eec12c
-
SHA256
8973a01c5fb01195763577375cc5e3b223c5ed680cbd646a0924cbcb37150ebb
-
SHA512
8cd236ee3ab5ce209264cdbb3d00acc4399489474e47ef6e231d76fdd704a07b4060ca20e46f5e2ea618963dd4cb38fe38c4e91b42e79b7c2bdc68756d3719cb
-
SSDEEP
6144:cTzoeC71TFqddJYDqR2B19LuduY0XoJt6FW9mVou0art+obeVxJAK/ngEdfbL2:KzDqRkGDqMnXhYJt6zSu0kMOWD3/ge/2
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot6029559841:AAEqr8_NCfqapJgAzw8PoPbqoCosnsk1VO0/sendMessage?chat_id=6033043077
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1492-81-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1492-85-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1492-83-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
Processes:
file.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions file.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions svchost.exe -
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
Processes:
svchost.exefile.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools file.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys" svchost.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
file.exesvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1648 svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1800 cmd.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
jsc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
file.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" file.exe -
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 checkip.dyndns.org -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
svchost.exefile.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum file.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 1648 set thread context of 1492 1648 svchost.exe jsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 828 timeout.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
file.exepowershell.exesvchost.exejsc.exepid process 1160 file.exe 1228 powershell.exe 1648 svchost.exe 1648 svchost.exe 1648 svchost.exe 1648 svchost.exe 1648 svchost.exe 1648 svchost.exe 1492 jsc.exe 1492 jsc.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
svchost.exepid process 1648 svchost.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
file.exesvchost.exepowershell.exejsc.exedescription pid process Token: SeDebugPrivilege 1160 file.exe Token: SeDebugPrivilege 1648 svchost.exe Token: SeDebugPrivilege 1648 svchost.exe Token: SeLoadDriverPrivilege 1648 svchost.exe Token: SeDebugPrivilege 1228 powershell.exe Token: SeDebugPrivilege 1492 jsc.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
file.execmd.execmd.exesvchost.exejsc.exedescription pid process target process PID 1160 wrote to memory of 1704 1160 file.exe cmd.exe PID 1160 wrote to memory of 1704 1160 file.exe cmd.exe PID 1160 wrote to memory of 1704 1160 file.exe cmd.exe PID 1704 wrote to memory of 572 1704 cmd.exe schtasks.exe PID 1704 wrote to memory of 572 1704 cmd.exe schtasks.exe PID 1704 wrote to memory of 572 1704 cmd.exe schtasks.exe PID 1160 wrote to memory of 1800 1160 file.exe cmd.exe PID 1160 wrote to memory of 1800 1160 file.exe cmd.exe PID 1160 wrote to memory of 1800 1160 file.exe cmd.exe PID 1800 wrote to memory of 828 1800 cmd.exe timeout.exe PID 1800 wrote to memory of 828 1800 cmd.exe timeout.exe PID 1800 wrote to memory of 828 1800 cmd.exe timeout.exe PID 1800 wrote to memory of 1648 1800 cmd.exe svchost.exe PID 1800 wrote to memory of 1648 1800 cmd.exe svchost.exe PID 1800 wrote to memory of 1648 1800 cmd.exe svchost.exe PID 1648 wrote to memory of 1228 1648 svchost.exe powershell.exe PID 1648 wrote to memory of 1228 1648 svchost.exe powershell.exe PID 1648 wrote to memory of 1228 1648 svchost.exe powershell.exe PID 1648 wrote to memory of 1712 1648 svchost.exe MSBuild.exe PID 1648 wrote to memory of 1712 1648 svchost.exe MSBuild.exe PID 1648 wrote to memory of 1712 1648 svchost.exe MSBuild.exe PID 1648 wrote to memory of 276 1648 svchost.exe EdmGen.exe PID 1648 wrote to memory of 276 1648 svchost.exe EdmGen.exe PID 1648 wrote to memory of 276 1648 svchost.exe EdmGen.exe PID 1648 wrote to memory of 800 1648 svchost.exe InstallUtil.exe PID 1648 wrote to memory of 800 1648 svchost.exe InstallUtil.exe PID 1648 wrote to memory of 800 1648 svchost.exe InstallUtil.exe PID 1648 wrote to memory of 1492 1648 svchost.exe jsc.exe PID 1648 wrote to memory of 1492 1648 svchost.exe jsc.exe PID 1648 wrote to memory of 1492 1648 svchost.exe jsc.exe PID 1648 wrote to memory of 1492 1648 svchost.exe jsc.exe PID 1648 wrote to memory of 1492 1648 svchost.exe jsc.exe PID 1648 wrote to memory of 1492 1648 svchost.exe jsc.exe PID 1648 wrote to memory of 1492 1648 svchost.exe jsc.exe PID 1648 wrote to memory of 1492 1648 svchost.exe jsc.exe PID 1648 wrote to memory of 1492 1648 svchost.exe jsc.exe PID 1492 wrote to memory of 1692 1492 jsc.exe netsh.exe PID 1492 wrote to memory of 1692 1492 jsc.exe netsh.exe PID 1492 wrote to memory of 1692 1492 jsc.exe netsh.exe PID 1492 wrote to memory of 1692 1492 jsc.exe netsh.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
Processes:
jsc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe -
outlook_win_path 1 IoCs
Processes:
jsc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp147B.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- UAC bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Sets service image path in registry
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"4⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp147B.tmp.batFilesize
151B
MD5d042c75ad7219a5988419c0f38dee87e
SHA198d723e48af5d2949d1e6865f9d36a282fc1c99a
SHA256d0a722cb28fd37fed6f8aa819c3876705c94ab09df7c90befe061a1c08bcfb82
SHA5122e8600a5f926da6728898b9f660e24df265469ec06e3ba50257dcb6f3a777168dc9ea3b4f0669cd9c1313fb0a87be4b2a2e465cb8cbc3de155f2efdf791b43de
-
C:\Users\Admin\AppData\Local\Temp\tmp147B.tmp.batFilesize
151B
MD5d042c75ad7219a5988419c0f38dee87e
SHA198d723e48af5d2949d1e6865f9d36a282fc1c99a
SHA256d0a722cb28fd37fed6f8aa819c3876705c94ab09df7c90befe061a1c08bcfb82
SHA5122e8600a5f926da6728898b9f660e24df265469ec06e3ba50257dcb6f3a777168dc9ea3b4f0669cd9c1313fb0a87be4b2a2e465cb8cbc3de155f2efdf791b43de
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
390KB
MD566244fb1118f70553439a5afc47529ac
SHA168250dcc265970b31d6fed79c008fe0972eec12c
SHA2568973a01c5fb01195763577375cc5e3b223c5ed680cbd646a0924cbcb37150ebb
SHA5128cd236ee3ab5ce209264cdbb3d00acc4399489474e47ef6e231d76fdd704a07b4060ca20e46f5e2ea618963dd4cb38fe38c4e91b42e79b7c2bdc68756d3719cb
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
390KB
MD566244fb1118f70553439a5afc47529ac
SHA168250dcc265970b31d6fed79c008fe0972eec12c
SHA2568973a01c5fb01195763577375cc5e3b223c5ed680cbd646a0924cbcb37150ebb
SHA5128cd236ee3ab5ce209264cdbb3d00acc4399489474e47ef6e231d76fdd704a07b4060ca20e46f5e2ea618963dd4cb38fe38c4e91b42e79b7c2bdc68756d3719cb
-
\Users\Admin\AppData\Roaming\svchost.exeFilesize
390KB
MD566244fb1118f70553439a5afc47529ac
SHA168250dcc265970b31d6fed79c008fe0972eec12c
SHA2568973a01c5fb01195763577375cc5e3b223c5ed680cbd646a0924cbcb37150ebb
SHA5128cd236ee3ab5ce209264cdbb3d00acc4399489474e47ef6e231d76fdd704a07b4060ca20e46f5e2ea618963dd4cb38fe38c4e91b42e79b7c2bdc68756d3719cb
-
memory/1160-54-0x0000000000B20000-0x0000000000B86000-memory.dmpFilesize
408KB
-
memory/1160-55-0x000000001BEE0000-0x000000001BF60000-memory.dmpFilesize
512KB
-
memory/1228-79-0x0000000002900000-0x0000000002980000-memory.dmpFilesize
512KB
-
memory/1228-76-0x000000001B160000-0x000000001B442000-memory.dmpFilesize
2.9MB
-
memory/1228-77-0x0000000001F50000-0x0000000001F58000-memory.dmpFilesize
32KB
-
memory/1228-78-0x0000000002900000-0x0000000002980000-memory.dmpFilesize
512KB
-
memory/1228-80-0x0000000002900000-0x0000000002980000-memory.dmpFilesize
512KB
-
memory/1492-81-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1492-85-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1492-83-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1492-86-0x0000000004D00000-0x0000000004D40000-memory.dmpFilesize
256KB
-
memory/1492-87-0x0000000004D00000-0x0000000004D40000-memory.dmpFilesize
256KB
-
memory/1648-70-0x00000000011F0000-0x0000000001270000-memory.dmpFilesize
512KB
-
memory/1648-69-0x0000000001270000-0x00000000012D6000-memory.dmpFilesize
408KB