Analysis
-
max time kernel
60s -
max time network
88s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
27-09-2023 17:22
Static task
static1
Behavioral task
behavioral1
Sample
dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe
-
Size
822KB
-
MD5
7db30eacb2aafcd1c57d4cf6b314ca71
-
SHA1
784c19294b0348258632cdacb23927063f0f7ad8
-
SHA256
dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6
-
SHA512
985bba196e18696cbe5cb06f03416f2f6b839ebdfd32ac9d4b316cbf32fa7231c5f0e6deeb84ab5271a156c35b5c04295b670dacbe8ef1b477586b0205e5baf5
-
SSDEEP
12288:91FckahW3INm7sW2ndLQJfVDb0xPkh7g9tO01ehCt6+5wVZaNY:VcDh/m7sPdLQ9VH0xPu7g9n1z6+iuY
Malware Config
Extracted
Protocol: ftp- Host:
ftp.product-secured.com - Port:
21 - Username:
[email protected] - Password:
2V8SHFwjad34@@##
Extracted
snakekeylogger
Protocol: ftp- Host:
ftp://ftp.product-secured.com/ - Port:
21 - Username:
[email protected] - Password:
2V8SHFwjad34@@##
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1264-7-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe -
Executes dropped EXE 2 IoCs
Processes:
svchost.exesvchost.exepid process 2464 svchost.exe 4792 svchost.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe Key opened \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe Key opened \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 88 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exedescription pid process target process PID 4676 set thread context of 1264 4676 dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exepid process 1264 dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe 1264 dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exedescription pid process Token: SeDebugPrivilege 1264 dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exepid process 1264 dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.execmd.exedescription pid process target process PID 4676 wrote to memory of 1264 4676 dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe PID 4676 wrote to memory of 1264 4676 dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe PID 4676 wrote to memory of 1264 4676 dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe PID 4676 wrote to memory of 1264 4676 dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe PID 4676 wrote to memory of 1264 4676 dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe PID 4676 wrote to memory of 1264 4676 dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe PID 4676 wrote to memory of 1264 4676 dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe PID 4676 wrote to memory of 1264 4676 dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe PID 4676 wrote to memory of 2464 4676 dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe svchost.exe PID 4676 wrote to memory of 2464 4676 dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe svchost.exe PID 4676 wrote to memory of 2464 4676 dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe svchost.exe PID 4676 wrote to memory of 3200 4676 dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe cmd.exe PID 4676 wrote to memory of 3200 4676 dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe cmd.exe PID 4676 wrote to memory of 3200 4676 dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe cmd.exe PID 4676 wrote to memory of 2416 4676 dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe cmd.exe PID 4676 wrote to memory of 2416 4676 dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe cmd.exe PID 4676 wrote to memory of 2416 4676 dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe cmd.exe PID 4676 wrote to memory of 3728 4676 dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe cmd.exe PID 4676 wrote to memory of 3728 4676 dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe cmd.exe PID 4676 wrote to memory of 3728 4676 dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe cmd.exe PID 2416 wrote to memory of 5092 2416 cmd.exe schtasks.exe PID 2416 wrote to memory of 5092 2416 cmd.exe schtasks.exe PID 2416 wrote to memory of 5092 2416 cmd.exe schtasks.exe -
outlook_office_path 1 IoCs
Processes:
dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe -
outlook_win_path 1 IoCs
Processes:
dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe"C:\Users\Admin\AppData\Local\Temp\dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Users\Admin\AppData\Local\Temp\dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe"C:\Users\Admin\AppData\Local\Temp\dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1264 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"2⤵PID:3728
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f3⤵
- Creates scheduled task(s)
PID:5092 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"2⤵PID:3200
-
C:\Users\Admin\AppData\Roaming\svchost\svchost.exeC:\Users\Admin\AppData\Roaming\svchost\svchost.exe1⤵
- Executes dropped EXE
PID:4792
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
621KB
MD5ed9d91fe584d5109d4067734ac452753
SHA1c277e57866833509d94787fc6f4d634a2714825d
SHA2563629ed9b94ae5d0f2659d02dcb7ce258cb5c2497d5bf18f3c4fed78878fba030
SHA512a6603acb550b897ec91b5c57b3034b8fd44ad9d675662aade0a078771b533b28e320c12c063c4ae48bfb23e8dfc85f304679458ea111db2e737043af0261bb1a
-
Filesize
621KB
MD5ed9d91fe584d5109d4067734ac452753
SHA1c277e57866833509d94787fc6f4d634a2714825d
SHA2563629ed9b94ae5d0f2659d02dcb7ce258cb5c2497d5bf18f3c4fed78878fba030
SHA512a6603acb550b897ec91b5c57b3034b8fd44ad9d675662aade0a078771b533b28e320c12c063c4ae48bfb23e8dfc85f304679458ea111db2e737043af0261bb1a
-
Filesize
621KB
MD5ed9d91fe584d5109d4067734ac452753
SHA1c277e57866833509d94787fc6f4d634a2714825d
SHA2563629ed9b94ae5d0f2659d02dcb7ce258cb5c2497d5bf18f3c4fed78878fba030
SHA512a6603acb550b897ec91b5c57b3034b8fd44ad9d675662aade0a078771b533b28e320c12c063c4ae48bfb23e8dfc85f304679458ea111db2e737043af0261bb1a
-
Filesize
640KB
MD54c7d04034c8804cf8111355c280c2c4a
SHA13d2eeec6b9fe4e883f209528d5451c751845dee1
SHA256850e103f57f3070b054469bad33065162dd31eab920e68e7629a1cd2764d3acd
SHA5122ca0d34dfdeace1090cc086cfa4a9b1b494dddad33f60d9b811ded10cd398a114e3abcba89f8b97dafde4acc35880ad440fd0e621009616a3324269e529b8c33
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e