Analysis
-
max time kernel
143s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
10-06-2023 10:03
Static task
static1
Behavioral task
behavioral1
Sample
SHDG0009000.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
SHDG0009000.exe
Resource
win10v2004-20230220-en
General
-
Target
SHDG0009000.exe
-
Size
345KB
-
MD5
734f19391aa55187a0e540af6e2b3637
-
SHA1
dd94a19920398360fecfc7e79b4e194cd62f8e12
-
SHA256
faa080e3c029ae675ef5c38b3884e171b70e2460f8df551a0764e06249ce349d
-
SHA512
2956ca789af8bcfe88722bfe0b8ca49bbe8845d74d56f8d902b3018d62f49e940ee8d3a51be80064213c6fad253b43da94b92b37e75d98c5077b922ede2eb52e
-
SSDEEP
6144:PYa6QVyvfLj2dX3m0ePci6R5FpcdFe7PjZ1UlZiqvfMKjRvSP8roc0m/YWg7XtwX:PYqMCHmDx61idFezjZ1ULi80KNKPUX0O
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/1408-140-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral2/memory/1408-141-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral2/memory/1408-142-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral2/memory/1408-143-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral2/memory/1408-154-0x0000000004980000-0x0000000004990000-memory.dmp family_snakekeylogger -
Loads dropped DLL 1 IoCs
Processes:
SHDG0009000.exepid process 4596 SHDG0009000.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
SHDG0009000.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SHDG0009000.exe Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SHDG0009000.exe Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SHDG0009000.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 13 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SHDG0009000.exedescription pid process target process PID 4596 set thread context of 1408 4596 SHDG0009000.exe SHDG0009000.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
SHDG0009000.exepid process 1408 SHDG0009000.exe 1408 SHDG0009000.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
SHDG0009000.exepid process 4596 SHDG0009000.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SHDG0009000.exedescription pid process Token: SeDebugPrivilege 1408 SHDG0009000.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SHDG0009000.exedescription pid process target process PID 4596 wrote to memory of 1408 4596 SHDG0009000.exe SHDG0009000.exe PID 4596 wrote to memory of 1408 4596 SHDG0009000.exe SHDG0009000.exe PID 4596 wrote to memory of 1408 4596 SHDG0009000.exe SHDG0009000.exe PID 4596 wrote to memory of 1408 4596 SHDG0009000.exe SHDG0009000.exe -
outlook_office_path 1 IoCs
Processes:
SHDG0009000.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SHDG0009000.exe -
outlook_win_path 1 IoCs
Processes:
SHDG0009000.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SHDG0009000.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SHDG0009000.exe"C:\Users\Admin\AppData\Local\Temp\SHDG0009000.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SHDG0009000.exe"C:\Users\Admin\AppData\Local\Temp\SHDG0009000.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsj78C1.tmp\fxivlx.dllFilesize
271KB
MD52d760454fc71febd6b80c16ff4dcf078
SHA1bb9c3b6fa4928d183ab517f70ea9bcb8b864c917
SHA25643f57fb44c32bc4f8561d815606f50b78b10a2af00cdc0a0b879780e1e2d7dfe
SHA51283c215a98f78d9f661fd7271c69cd2db486d7b59362904724a05c91a31b5632328ce19cb6f1b17480afbb3762285622ac9e891d903bd17e5589866c779cfddd7
-
memory/1408-140-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/1408-141-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/1408-142-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/1408-143-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/1408-144-0x0000000004980000-0x0000000004990000-memory.dmpFilesize
64KB
-
memory/1408-145-0x0000000004980000-0x0000000004990000-memory.dmpFilesize
64KB
-
memory/1408-146-0x0000000004980000-0x0000000004990000-memory.dmpFilesize
64KB
-
memory/1408-147-0x0000000004990000-0x0000000004F34000-memory.dmpFilesize
5.6MB
-
memory/1408-148-0x0000000004850000-0x00000000048EC000-memory.dmpFilesize
624KB
-
memory/1408-149-0x0000000004980000-0x0000000004990000-memory.dmpFilesize
64KB
-
memory/1408-150-0x00000000057C0000-0x0000000005982000-memory.dmpFilesize
1.8MB
-
memory/1408-151-0x0000000005990000-0x0000000005A22000-memory.dmpFilesize
584KB
-
memory/1408-152-0x0000000005A70000-0x0000000005A7A000-memory.dmpFilesize
40KB
-
memory/1408-154-0x0000000004980000-0x0000000004990000-memory.dmpFilesize
64KB
-
memory/1408-155-0x0000000004980000-0x0000000004990000-memory.dmpFilesize
64KB