Analysis
-
max time kernel
41s -
max time network
80s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
26-09-2023 13:51
Static task
static1
Behavioral task
behavioral1
Sample
docyo20230925.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
docyo20230925.exe
Resource
win10v2004-20230915-en
General
-
Target
docyo20230925.exe
-
Size
821KB
-
MD5
4eac3586289f9081f51432e739f3b240
-
SHA1
066a458315c10ba6aa827958ec79627007daccf6
-
SHA256
77fc980c2c8f9412e843d83cb4b808e7dfc9b459aaa7f1936b7d93bc7357bfbb
-
SHA512
bf3fff5ab21cd54a0774ba0b1a7d1a5f42b1f542888ac74d3f79d23df6fe535ea88ca4a6d74d3fc94caf01a371f679551436ecad233521f5fbedde42551b7ca8
-
SSDEEP
24576:1X5KAkazacwCw8RdFK0W3fDkqgy9nEsY:1X5KEacxdRLI3rkqpNQ
Malware Config
Extracted
Protocol: ftp- Host:
ftp.product-secured.com - Port:
21 - Username:
[email protected] - Password:
2V8SHFwjad34@@##
Extracted
snakekeylogger
Protocol: ftp- Host:
ftp://ftp.product-secured.com/ - Port:
21 - Username:
[email protected] - Password:
2V8SHFwjad34@@##
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1312-7-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
docyo20230925.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation docyo20230925.exe -
Executes dropped EXE 2 IoCs
Processes:
svchost.exesvchost.exepid process 3624 svchost.exe 2260 svchost.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
docyo20230925.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 docyo20230925.exe Key opened \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 docyo20230925.exe Key opened \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 docyo20230925.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 61 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
docyo20230925.exedescription pid process target process PID 4484 set thread context of 1312 4484 docyo20230925.exe docyo20230925.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
docyo20230925.exepid process 1312 docyo20230925.exe 1312 docyo20230925.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
docyo20230925.exedescription pid process Token: SeDebugPrivilege 1312 docyo20230925.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
docyo20230925.execmd.exedescription pid process target process PID 4484 wrote to memory of 1312 4484 docyo20230925.exe docyo20230925.exe PID 4484 wrote to memory of 1312 4484 docyo20230925.exe docyo20230925.exe PID 4484 wrote to memory of 1312 4484 docyo20230925.exe docyo20230925.exe PID 4484 wrote to memory of 1312 4484 docyo20230925.exe docyo20230925.exe PID 4484 wrote to memory of 1312 4484 docyo20230925.exe docyo20230925.exe PID 4484 wrote to memory of 1312 4484 docyo20230925.exe docyo20230925.exe PID 4484 wrote to memory of 1312 4484 docyo20230925.exe docyo20230925.exe PID 4484 wrote to memory of 1312 4484 docyo20230925.exe docyo20230925.exe PID 4484 wrote to memory of 3624 4484 docyo20230925.exe svchost.exe PID 4484 wrote to memory of 3624 4484 docyo20230925.exe svchost.exe PID 4484 wrote to memory of 3624 4484 docyo20230925.exe svchost.exe PID 4484 wrote to memory of 4752 4484 docyo20230925.exe cmd.exe PID 4484 wrote to memory of 4752 4484 docyo20230925.exe cmd.exe PID 4484 wrote to memory of 4752 4484 docyo20230925.exe cmd.exe PID 4484 wrote to memory of 3028 4484 docyo20230925.exe cmd.exe PID 4484 wrote to memory of 3028 4484 docyo20230925.exe cmd.exe PID 4484 wrote to memory of 3028 4484 docyo20230925.exe cmd.exe PID 4484 wrote to memory of 2060 4484 docyo20230925.exe cmd.exe PID 4484 wrote to memory of 2060 4484 docyo20230925.exe cmd.exe PID 4484 wrote to memory of 2060 4484 docyo20230925.exe cmd.exe PID 3028 wrote to memory of 1496 3028 cmd.exe schtasks.exe PID 3028 wrote to memory of 1496 3028 cmd.exe schtasks.exe PID 3028 wrote to memory of 1496 3028 cmd.exe schtasks.exe -
outlook_office_path 1 IoCs
Processes:
docyo20230925.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 docyo20230925.exe -
outlook_win_path 1 IoCs
Processes:
docyo20230925.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 docyo20230925.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\docyo20230925.exe"C:\Users\Admin\AppData\Local\Temp\docyo20230925.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Users\Admin\AppData\Local\Temp\docyo20230925.exe"C:\Users\Admin\AppData\Local\Temp\docyo20230925.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1312 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\docyo20230925.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"2⤵PID:2060
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f3⤵
- Creates scheduled task(s)
PID:1496 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"2⤵PID:4752
-
C:\Users\Admin\AppData\Roaming\svchost\svchost.exeC:\Users\Admin\AppData\Roaming\svchost\svchost.exe1⤵
- Executes dropped EXE
PID:2260
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
621KB
MD5ed9d91fe584d5109d4067734ac452753
SHA1c277e57866833509d94787fc6f4d634a2714825d
SHA2563629ed9b94ae5d0f2659d02dcb7ce258cb5c2497d5bf18f3c4fed78878fba030
SHA512a6603acb550b897ec91b5c57b3034b8fd44ad9d675662aade0a078771b533b28e320c12c063c4ae48bfb23e8dfc85f304679458ea111db2e737043af0261bb1a
-
Filesize
621KB
MD5ed9d91fe584d5109d4067734ac452753
SHA1c277e57866833509d94787fc6f4d634a2714825d
SHA2563629ed9b94ae5d0f2659d02dcb7ce258cb5c2497d5bf18f3c4fed78878fba030
SHA512a6603acb550b897ec91b5c57b3034b8fd44ad9d675662aade0a078771b533b28e320c12c063c4ae48bfb23e8dfc85f304679458ea111db2e737043af0261bb1a
-
Filesize
621KB
MD5ed9d91fe584d5109d4067734ac452753
SHA1c277e57866833509d94787fc6f4d634a2714825d
SHA2563629ed9b94ae5d0f2659d02dcb7ce258cb5c2497d5bf18f3c4fed78878fba030
SHA512a6603acb550b897ec91b5c57b3034b8fd44ad9d675662aade0a078771b533b28e320c12c063c4ae48bfb23e8dfc85f304679458ea111db2e737043af0261bb1a
-
Filesize
613KB
MD5f4e556f1dffa3a36462980cb4b371368
SHA140e3ef999ec3e341a485d468546c0f2ebbf263c2
SHA256c04633b52d49e637cd87f69ab3bbfd267814581a2d02e744bf3ee7d446fc5e86
SHA512028fec16c25c4467700c84aea52aee642500d2abfe1a85ad808eceeb6e52db1b5d244e5f22b42fdc19ed3b7825587bbd27f3475969b9f22463ceaa5d2b1e0d65
-
Filesize
128KB
MD5e0d5226471df8918d08487ce35777f92
SHA189154cdb77d835c0b128805f65a457e7c0c471ec
SHA256825afa9749529a746ee8d77feffbe5389dfed351ac0813e6b2a950416dfef6fb
SHA512761c03393e8d6bb21709810f5429663993a167d63eb857870bd3aa71dd38f446154326e5ffa6e7e9b1ca39f7f74cba49796372d60f39c17a61bd224ec1e4bbe1