Analysis
-
max time kernel
142s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
20/07/2023, 07:03
Static task
static1
Behavioral task
behavioral1
Sample
PAGO 748844.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
PAGO 748844.exe
Resource
win10v2004-20230703-en
General
-
Target
PAGO 748844.exe
-
Size
590KB
-
MD5
3974423cf3a5ca86b4cbc9c0968f62ea
-
SHA1
a88c8cce74fd4d8f767a87548fc20a22c779f099
-
SHA256
8a88d8c71eeff5031c0be922bad9639753a904fbf78536c0f8ac0619ae69d1b4
-
SHA512
14c02a57c33e61280df44cc3aea171dcebbaa1e673b7194cc2c81d13b07abef0c6c5de13b156194fce8ff054adab117be46c3bf79270e27d22b36d594d27e847
-
SSDEEP
12288:FS6ln+flo/XciMvACJKTHlqdivLfLhL+uVWayCHZwuDUIjvSbJ94u+U:MTdCjEBJyHlqdiDfLhLjVWayC5woUIjX
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
smtp.mtbooks.com.mx - Port:
587 - Username:
[email protected] - Password:
^QGUcHQjx3
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 3 IoCs
resource yara_rule behavioral2/memory/3824-143-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral2/memory/3824-147-0x0000000005240000-0x0000000005250000-memory.dmp family_snakekeylogger behavioral2/memory/3824-150-0x0000000005240000-0x0000000005250000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 47 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4772 set thread context of 3824 4772 PAGO 748844.exe 95 -
Program crash 1 IoCs
pid pid_target Process procid_target 4680 3824 WerFault.exe 95 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4772 PAGO 748844.exe 4772 PAGO 748844.exe 3824 PAGO 748844.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4772 PAGO 748844.exe Token: SeDebugPrivilege 3824 PAGO 748844.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4772 wrote to memory of 3824 4772 PAGO 748844.exe 95 PID 4772 wrote to memory of 3824 4772 PAGO 748844.exe 95 PID 4772 wrote to memory of 3824 4772 PAGO 748844.exe 95 PID 4772 wrote to memory of 3824 4772 PAGO 748844.exe 95 PID 4772 wrote to memory of 3824 4772 PAGO 748844.exe 95 PID 4772 wrote to memory of 3824 4772 PAGO 748844.exe 95 PID 4772 wrote to memory of 3824 4772 PAGO 748844.exe 95 PID 4772 wrote to memory of 3824 4772 PAGO 748844.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe"C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe"C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3824 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 14963⤵
- Program crash
PID:4680
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 3824 -ip 38241⤵PID:760
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5765cff098b629b1eb49e3ef981f7001a
SHA132b7ade1f746d013371141dcebd96e0bb3faeef3
SHA256ee17be860e129795491b4be61f5ac446b16f2679e056114024ffc72b2e23a9b7
SHA512ca2d2ddafc2dcbeab2c93f039bdbc567d4c9e0457e741e71c432b7461a1a8165891f22112ff1b57004ba51271899555fbf001db17d2dc748bafc608817bd9474