Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
29-09-2023 08:48
Static task
static1
Behavioral task
behavioral1
Sample
018ccb52b75e10cd4a45aa22aa7b2342.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
018ccb52b75e10cd4a45aa22aa7b2342.exe
Resource
win10v2004-20230915-en
General
-
Target
018ccb52b75e10cd4a45aa22aa7b2342.exe
-
Size
304KB
-
MD5
018ccb52b75e10cd4a45aa22aa7b2342
-
SHA1
7f0033b4a3958e14d1959555bbfbd58e667d460b
-
SHA256
085432a1c99fa59ffaf3838e1a987e17df690bfd19fe6ad001ee7d9d6fba3eb4
-
SHA512
13497efa83635329a0381f5e447bd47bd29bf7d1634c3909cb0537148d54e348c1455faa6b0246365d165eb1626a65a21acd410d70309ba40bfd6f73ef4c1e8f
-
SSDEEP
6144:hnPdudwDvX6XTt3LWygobl2qgZbyWI2ku6nQ+i1ic3OYBsXA7L:hnPdj6ZKygjq0IZnK1wYMy
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
posta.ni.net.tr - Port:
587 - Username:
[email protected] - Password:
nilya1957 - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2440-19-0x00000000001E0000-0x0000000000204000-memory.dmp family_snakekeylogger behavioral1/memory/2440-18-0x0000000004A00000-0x0000000004A40000-memory.dmp family_snakekeylogger behavioral1/memory/2440-16-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral1/memory/2440-15-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral1/memory/2440-11-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral1/memory/2440-22-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger -
Executes dropped EXE 2 IoCs
Processes:
rjxul.exerjxul.exepid process 2240 rjxul.exe 2440 rjxul.exe -
Loads dropped DLL 2 IoCs
Processes:
018ccb52b75e10cd4a45aa22aa7b2342.exerjxul.exepid process 2208 018ccb52b75e10cd4a45aa22aa7b2342.exe 2240 rjxul.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rjxul.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\ooxhhclluq = "C:\\Users\\Admin\\AppData\\Roaming\\bkkg\\ppyueenjjs.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\rjxul.exe\" " rjxul.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rjxul.exedescription pid process target process PID 2240 set thread context of 2440 2240 rjxul.exe rjxul.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rjxul.exepid process 2440 rjxul.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rjxul.exepid process 2240 rjxul.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rjxul.exedescription pid process Token: SeDebugPrivilege 2440 rjxul.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
018ccb52b75e10cd4a45aa22aa7b2342.exerjxul.exedescription pid process target process PID 2208 wrote to memory of 2240 2208 018ccb52b75e10cd4a45aa22aa7b2342.exe rjxul.exe PID 2208 wrote to memory of 2240 2208 018ccb52b75e10cd4a45aa22aa7b2342.exe rjxul.exe PID 2208 wrote to memory of 2240 2208 018ccb52b75e10cd4a45aa22aa7b2342.exe rjxul.exe PID 2208 wrote to memory of 2240 2208 018ccb52b75e10cd4a45aa22aa7b2342.exe rjxul.exe PID 2240 wrote to memory of 2440 2240 rjxul.exe rjxul.exe PID 2240 wrote to memory of 2440 2240 rjxul.exe rjxul.exe PID 2240 wrote to memory of 2440 2240 rjxul.exe rjxul.exe PID 2240 wrote to memory of 2440 2240 rjxul.exe rjxul.exe PID 2240 wrote to memory of 2440 2240 rjxul.exe rjxul.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\rjxul.exe"C:\Users\Admin\AppData\Local\Temp\rjxul.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440
-
C:\Users\Admin\AppData\Local\Temp\rjxul.exe"C:\Users\Admin\AppData\Local\Temp\rjxul.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2240
-
C:\Users\Admin\AppData\Local\Temp\018ccb52b75e10cd4a45aa22aa7b2342.exe"C:\Users\Admin\AppData\Local\Temp\018ccb52b75e10cd4a45aa22aa7b2342.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
223KB
MD57d27db2a5bfe2a656deb5c058c11e895
SHA1a984084e6c172afe7e74e1aad336da5e18d1f6ca
SHA25618a3419e49235789b45d28cd7c237f0ed01b951d59be06d69be7b2885b39df3e
SHA512a2faaf0c5f76a36c46cfd4b044d01d6310d30bdd34ec87737efd3612461df2356a641b296abfb04b8f1a734a1269cc66fe01fc5c04ad7ec943cf034ce6e39526
-
Filesize
179KB
MD5f349989874895162828483b02560076a
SHA165511ebe6f6d198644015e8dc381c4f4ee2ee850
SHA256dec3bfdef29cbab1dcab58098b439e96ea5a4b7b03a47dc9cfea16bc4ee0435f
SHA5127a96db3f8d2799e98fdb3b447e1eef9022698524570c33ea88cba8c133782afeffd0acec1624b81aa9d43a0a400761482503aad8f73aeefbb2d23c9945efe401
-
Filesize
179KB
MD5f349989874895162828483b02560076a
SHA165511ebe6f6d198644015e8dc381c4f4ee2ee850
SHA256dec3bfdef29cbab1dcab58098b439e96ea5a4b7b03a47dc9cfea16bc4ee0435f
SHA5127a96db3f8d2799e98fdb3b447e1eef9022698524570c33ea88cba8c133782afeffd0acec1624b81aa9d43a0a400761482503aad8f73aeefbb2d23c9945efe401
-
Filesize
179KB
MD5f349989874895162828483b02560076a
SHA165511ebe6f6d198644015e8dc381c4f4ee2ee850
SHA256dec3bfdef29cbab1dcab58098b439e96ea5a4b7b03a47dc9cfea16bc4ee0435f
SHA5127a96db3f8d2799e98fdb3b447e1eef9022698524570c33ea88cba8c133782afeffd0acec1624b81aa9d43a0a400761482503aad8f73aeefbb2d23c9945efe401
-
Filesize
179KB
MD5f349989874895162828483b02560076a
SHA165511ebe6f6d198644015e8dc381c4f4ee2ee850
SHA256dec3bfdef29cbab1dcab58098b439e96ea5a4b7b03a47dc9cfea16bc4ee0435f
SHA5127a96db3f8d2799e98fdb3b447e1eef9022698524570c33ea88cba8c133782afeffd0acec1624b81aa9d43a0a400761482503aad8f73aeefbb2d23c9945efe401
-
Filesize
179KB
MD5f349989874895162828483b02560076a
SHA165511ebe6f6d198644015e8dc381c4f4ee2ee850
SHA256dec3bfdef29cbab1dcab58098b439e96ea5a4b7b03a47dc9cfea16bc4ee0435f
SHA5127a96db3f8d2799e98fdb3b447e1eef9022698524570c33ea88cba8c133782afeffd0acec1624b81aa9d43a0a400761482503aad8f73aeefbb2d23c9945efe401