Overview

overview

10

Static

static

3

018ccb52b7...42.exe

windows7-x64

10

018ccb52b7...42.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    4s
  • max time network
    9s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-09-2023 08:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    018ccb52b75e10cd4a45aa22aa7b2342.exe

  • Size

    304KB

  • MD5

    018ccb52b75e10cd4a45aa22aa7b2342

  • SHA1

    7f0033b4a3958e14d1959555bbfbd58e667d460b

  • SHA256

    085432a1c99fa59ffaf3838e1a987e17df690bfd19fe6ad001ee7d9d6fba3eb4

  • SHA512

    13497efa83635329a0381f5e447bd47bd29bf7d1634c3909cb0537148d54e348c1455faa6b0246365d165eb1626a65a21acd410d70309ba40bfd6f73ef4c1e8f

  • SSDEEP

    6144:hnPdudwDvX6XTt3LWygobl2qgZbyWI2ku6nQ+i1ic3OYBsXA7L:hnPdj6ZKygjq0IZnK1wYMy

Score
10/10
snakekeyloggerkeyloggerpersistencestealer

Malware Config

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\018ccb52b75e10cd4a45aa22aa7b2342.exe
    "C:\Users\Admin\AppData\Local\Temp\018ccb52b75e10cd4a45aa22aa7b2342.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3672
    • C:\Users\Admin\AppData\Local\Temp\rjxul.exe
      "C:\Users\Admin\AppData\Local\Temp\rjxul.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3104
      • C:\Users\Admin\AppData\Local\Temp\rjxul.exe
        "C:\Users\Admin\AppData\Local\Temp\rjxul.exe"
        3⤵
          PID:4988

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\clwdnbpwhtp.z
      Filesize

      223KB

      MD5

      7d27db2a5bfe2a656deb5c058c11e895

      SHA1

      a984084e6c172afe7e74e1aad336da5e18d1f6ca

      SHA256

      18a3419e49235789b45d28cd7c237f0ed01b951d59be06d69be7b2885b39df3e

      SHA512

      a2faaf0c5f76a36c46cfd4b044d01d6310d30bdd34ec87737efd3612461df2356a641b296abfb04b8f1a734a1269cc66fe01fc5c04ad7ec943cf034ce6e39526

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\rjxul.exe
      Filesize

      179KB

      MD5

      f349989874895162828483b02560076a

      SHA1

      65511ebe6f6d198644015e8dc381c4f4ee2ee850

      SHA256

      dec3bfdef29cbab1dcab58098b439e96ea5a4b7b03a47dc9cfea16bc4ee0435f

      SHA512

      7a96db3f8d2799e98fdb3b447e1eef9022698524570c33ea88cba8c133782afeffd0acec1624b81aa9d43a0a400761482503aad8f73aeefbb2d23c9945efe401

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\rjxul.exe
      Filesize

      179KB

      MD5

      f349989874895162828483b02560076a

      SHA1

      65511ebe6f6d198644015e8dc381c4f4ee2ee850

      SHA256

      dec3bfdef29cbab1dcab58098b439e96ea5a4b7b03a47dc9cfea16bc4ee0435f

      SHA512

      7a96db3f8d2799e98fdb3b447e1eef9022698524570c33ea88cba8c133782afeffd0acec1624b81aa9d43a0a400761482503aad8f73aeefbb2d23c9945efe401

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\rjxul.exe
      Filesize

      128KB

      MD5

      f5fe6997a5472cb4832a4845a71a0def

      SHA1

      bf862b7b824d472bc569cad1c5542bd1cf416a5e

      SHA256

      4d9091a5e62797f27a4225889cf3eca5141d426c5952b705a206b2ce3158fa4b

      SHA512

      c05d3fe240ce010172b62b870f135c77e4c9b6457513908f4f57e4703b8950af29be5362d7da22a6427b43aa9b94261ca80ae8d5ad90f9ba753fd7217e23108e

      Download Submit

    • memory/3104-5-0x0000000002330000-0x0000000002333000-memory.dmp

      Filesize

      12KB

      Download

    • memory/4988-8-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/4988-10-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download