Analysis
-
max time kernel
143s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2023 16:38
Static task
static1
Behavioral task
behavioral1
Sample
hesaphareketi-01.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
hesaphareketi-01.exe
Resource
win10v2004-20230915-en
General
-
Target
hesaphareketi-01.exe
-
Size
731KB
-
MD5
3024f8b8500d2629b5d934d0ef334efb
-
SHA1
d2013e0488e50fe9039986129e46725c2353e0a7
-
SHA256
12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31
-
SHA512
b8ca6e76ebfd879d3f5643caa614d57fb7d57e5a95d79aecea2bdbd71bbed366b72a59a12b96b6f84e988c45e15e1c3369fd01418972e0aed7dba65ee2a4a998
-
SSDEEP
12288:JqH3dU+ta6byR6WYlvZja6+hpKo8sRexHyoRwMt7zANdi:etU+YxYtARN6wUK0
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.gkas.com.tr - Port:
587 - Username:
[email protected] - Password:
Gkasteknik@2022
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3828-18-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger -
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0" svchost.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
Processes:
hesaphareketi-01.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions hesaphareketi-01.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions svchost.exe -
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
Processes:
hesaphareketi-01.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools hesaphareketi-01.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools svchost.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
svchost.exehesaphareketi-01.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion hesaphareketi-01.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion hesaphareketi-01.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
svchost.exehesaphareketi-01.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation hesaphareketi-01.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 3316 svchost.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0" svchost.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
hesaphareketi-01.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" hesaphareketi-01.exe -
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 35 checkip.dyndns.org -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
hesaphareketi-01.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum hesaphareketi-01.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 hesaphareketi-01.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 3316 set thread context of 3828 3316 svchost.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1128 timeout.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
hesaphareketi-01.exeRegAsm.exepowershell.exepid process 3680 hesaphareketi-01.exe 3680 hesaphareketi-01.exe 3680 hesaphareketi-01.exe 3680 hesaphareketi-01.exe 3680 hesaphareketi-01.exe 3680 hesaphareketi-01.exe 3680 hesaphareketi-01.exe 3680 hesaphareketi-01.exe 3680 hesaphareketi-01.exe 3680 hesaphareketi-01.exe 3680 hesaphareketi-01.exe 3680 hesaphareketi-01.exe 3680 hesaphareketi-01.exe 3680 hesaphareketi-01.exe 3680 hesaphareketi-01.exe 3680 hesaphareketi-01.exe 3680 hesaphareketi-01.exe 3680 hesaphareketi-01.exe 3680 hesaphareketi-01.exe 3680 hesaphareketi-01.exe 3680 hesaphareketi-01.exe 3680 hesaphareketi-01.exe 3680 hesaphareketi-01.exe 3828 RegAsm.exe 4764 powershell.exe 4764 powershell.exe 3828 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
hesaphareketi-01.exesvchost.exeRegAsm.exepowershell.exedescription pid process Token: SeDebugPrivilege 3680 hesaphareketi-01.exe Token: SeDebugPrivilege 3316 svchost.exe Token: SeDebugPrivilege 3828 RegAsm.exe Token: SeDebugPrivilege 4764 powershell.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
hesaphareketi-01.execmd.execmd.exesvchost.exedescription pid process target process PID 3680 wrote to memory of 1688 3680 hesaphareketi-01.exe cmd.exe PID 3680 wrote to memory of 1688 3680 hesaphareketi-01.exe cmd.exe PID 3680 wrote to memory of 1688 3680 hesaphareketi-01.exe cmd.exe PID 3680 wrote to memory of 4788 3680 hesaphareketi-01.exe cmd.exe PID 3680 wrote to memory of 4788 3680 hesaphareketi-01.exe cmd.exe PID 3680 wrote to memory of 4788 3680 hesaphareketi-01.exe cmd.exe PID 1688 wrote to memory of 4208 1688 cmd.exe schtasks.exe PID 1688 wrote to memory of 4208 1688 cmd.exe schtasks.exe PID 1688 wrote to memory of 4208 1688 cmd.exe schtasks.exe PID 4788 wrote to memory of 1128 4788 cmd.exe timeout.exe PID 4788 wrote to memory of 1128 4788 cmd.exe timeout.exe PID 4788 wrote to memory of 1128 4788 cmd.exe timeout.exe PID 4788 wrote to memory of 3316 4788 cmd.exe svchost.exe PID 4788 wrote to memory of 3316 4788 cmd.exe svchost.exe PID 4788 wrote to memory of 3316 4788 cmd.exe svchost.exe PID 3316 wrote to memory of 4764 3316 svchost.exe powershell.exe PID 3316 wrote to memory of 4764 3316 svchost.exe powershell.exe PID 3316 wrote to memory of 4764 3316 svchost.exe powershell.exe PID 3316 wrote to memory of 3828 3316 svchost.exe RegAsm.exe PID 3316 wrote to memory of 3828 3316 svchost.exe RegAsm.exe PID 3316 wrote to memory of 3828 3316 svchost.exe RegAsm.exe PID 3316 wrote to memory of 3828 3316 svchost.exe RegAsm.exe PID 3316 wrote to memory of 3828 3316 svchost.exe RegAsm.exe PID 3316 wrote to memory of 3828 3316 svchost.exe RegAsm.exe PID 3316 wrote to memory of 3828 3316 svchost.exe RegAsm.exe PID 3316 wrote to memory of 3828 3316 svchost.exe RegAsm.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
outlook_office_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
outlook_win_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.exe"C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
PID:4208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8695.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:1128 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- UAC bypass
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3316 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4764 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3828
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
151B
MD52a1bca1c4a5f3b73cbc29cc4b6d9feb7
SHA1469eba29d53a2add29fdc8708b602d740cf20d96
SHA256bd908b28b4d6b2ea0e4d0f5b811da6f5ccd84eabeae64793190eea733225c1c8
SHA512de4d5eb1f2ecfde988db65e5202433493a26c256a960f1db8dfe4903fbb725bf4d2ac7341a63e1580d05e4b4e6bc78f3e386f67780ab8aa539b28163e86f932c
-
Filesize
731KB
MD53024f8b8500d2629b5d934d0ef334efb
SHA1d2013e0488e50fe9039986129e46725c2353e0a7
SHA25612a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31
SHA512b8ca6e76ebfd879d3f5643caa614d57fb7d57e5a95d79aecea2bdbd71bbed366b72a59a12b96b6f84e988c45e15e1c3369fd01418972e0aed7dba65ee2a4a998
-
Filesize
731KB
MD53024f8b8500d2629b5d934d0ef334efb
SHA1d2013e0488e50fe9039986129e46725c2353e0a7
SHA25612a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31
SHA512b8ca6e76ebfd879d3f5643caa614d57fb7d57e5a95d79aecea2bdbd71bbed366b72a59a12b96b6f84e988c45e15e1c3369fd01418972e0aed7dba65ee2a4a998