Analysis
-
max time kernel
4s -
max time network
9s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
29-09-2023 08:45
Static task
static1
Behavioral task
behavioral1
Sample
018ccb52b75e10cd4a45aa22aa7b2342.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
018ccb52b75e10cd4a45aa22aa7b2342.exe
Resource
win10v2004-20230915-en
General
-
Target
018ccb52b75e10cd4a45aa22aa7b2342.exe
-
Size
304KB
-
MD5
018ccb52b75e10cd4a45aa22aa7b2342
-
SHA1
7f0033b4a3958e14d1959555bbfbd58e667d460b
-
SHA256
085432a1c99fa59ffaf3838e1a987e17df690bfd19fe6ad001ee7d9d6fba3eb4
-
SHA512
13497efa83635329a0381f5e447bd47bd29bf7d1634c3909cb0537148d54e348c1455faa6b0246365d165eb1626a65a21acd410d70309ba40bfd6f73ef4c1e8f
-
SSDEEP
6144:hnPdudwDvX6XTt3LWygobl2qgZbyWI2ku6nQ+i1ic3OYBsXA7L:hnPdj6ZKygjq0IZnK1wYMy
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4988-8-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger -
Executes dropped EXE 1 IoCs
Processes:
rjxul.exepid process 3104 rjxul.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rjxul.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ooxhhclluq = "C:\\Users\\Admin\\AppData\\Roaming\\bkkg\\ppyueenjjs.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\rjxul.exe\" " rjxul.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rjxul.exedescription pid process target process PID 3104 set thread context of 4988 3104 rjxul.exe rjxul.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rjxul.exepid process 3104 rjxul.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
018ccb52b75e10cd4a45aa22aa7b2342.exerjxul.exedescription pid process target process PID 3672 wrote to memory of 3104 3672 018ccb52b75e10cd4a45aa22aa7b2342.exe rjxul.exe PID 3672 wrote to memory of 3104 3672 018ccb52b75e10cd4a45aa22aa7b2342.exe rjxul.exe PID 3672 wrote to memory of 3104 3672 018ccb52b75e10cd4a45aa22aa7b2342.exe rjxul.exe PID 3104 wrote to memory of 4988 3104 rjxul.exe rjxul.exe PID 3104 wrote to memory of 4988 3104 rjxul.exe rjxul.exe PID 3104 wrote to memory of 4988 3104 rjxul.exe rjxul.exe PID 3104 wrote to memory of 4988 3104 rjxul.exe rjxul.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\018ccb52b75e10cd4a45aa22aa7b2342.exe"C:\Users\Admin\AppData\Local\Temp\018ccb52b75e10cd4a45aa22aa7b2342.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Users\Admin\AppData\Local\Temp\rjxul.exe"C:\Users\Admin\AppData\Local\Temp\rjxul.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Users\Admin\AppData\Local\Temp\rjxul.exe"C:\Users\Admin\AppData\Local\Temp\rjxul.exe"3⤵PID:4988
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
223KB
MD57d27db2a5bfe2a656deb5c058c11e895
SHA1a984084e6c172afe7e74e1aad336da5e18d1f6ca
SHA25618a3419e49235789b45d28cd7c237f0ed01b951d59be06d69be7b2885b39df3e
SHA512a2faaf0c5f76a36c46cfd4b044d01d6310d30bdd34ec87737efd3612461df2356a641b296abfb04b8f1a734a1269cc66fe01fc5c04ad7ec943cf034ce6e39526
-
Filesize
179KB
MD5f349989874895162828483b02560076a
SHA165511ebe6f6d198644015e8dc381c4f4ee2ee850
SHA256dec3bfdef29cbab1dcab58098b439e96ea5a4b7b03a47dc9cfea16bc4ee0435f
SHA5127a96db3f8d2799e98fdb3b447e1eef9022698524570c33ea88cba8c133782afeffd0acec1624b81aa9d43a0a400761482503aad8f73aeefbb2d23c9945efe401
-
Filesize
179KB
MD5f349989874895162828483b02560076a
SHA165511ebe6f6d198644015e8dc381c4f4ee2ee850
SHA256dec3bfdef29cbab1dcab58098b439e96ea5a4b7b03a47dc9cfea16bc4ee0435f
SHA5127a96db3f8d2799e98fdb3b447e1eef9022698524570c33ea88cba8c133782afeffd0acec1624b81aa9d43a0a400761482503aad8f73aeefbb2d23c9945efe401
-
Filesize
128KB
MD5f5fe6997a5472cb4832a4845a71a0def
SHA1bf862b7b824d472bc569cad1c5542bd1cf416a5e
SHA2564d9091a5e62797f27a4225889cf3eca5141d426c5952b705a206b2ce3158fa4b
SHA512c05d3fe240ce010172b62b870f135c77e4c9b6457513908f4f57e4703b8950af29be5362d7da22a6427b43aa9b94261ca80ae8d5ad90f9ba753fd7217e23108e