Analysis
-
max time kernel
138s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
-
submitted
03-10-2023 14:32
General
-
Target
6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52_JC.exe
-
Size
896KB
-
MD5
e478fc4b0c1091347240550446e2f7a2
-
SHA1
2c46e2b777dc7a29c17deaee98534069efa91586
-
SHA256
6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52
-
SHA512
6476b53eeabeea7b97e0af0e41454ff713ba5c625ca2b8a4d211c9fb32ecca847ac85a39b28a0f5ac1a37628708df22da5aea99853b289c1bb911acc435345e3
-
SSDEEP
12288:GmVjOxbWKVGu27Wm4XfbzsqPhxRAUwQ7xjAkZNPrApR60mR4IQfei08hTrC+iQas:GmVja2iPhhXZq60zD1himaDQ
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.gkas.com.tr - Port:
587 - Username:
[email protected] - Password:
Gkasteknik@2022
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 3 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 2 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 41 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52_JC.exe"C:\Users\Admin\AppData\Local\Temp\6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52_JC.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9222.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- UAC bypass
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=regtlibv12.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.05⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1800 CREDAT:275457 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
6Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344B
MD503c0594d3104fd5ad6603b578619080b
SHA1bed72fd24f33fd11ded51e74d47612fd296593de
SHA256dfd0778a6fa7475a654ee049e9d0606946ea990d5bd2cb73c28185f2690d56a2
SHA5121baedae760bda3afbd970720b76b5276cf9c72dbd940df3a00e96feb13bff755affeb3c25ae7f46169eced164c9796893c882c33bce1798d56eb1a4351946441
-
Filesize
344B
MD5edff9d4a6c63478c83ec05e62a245f83
SHA10857ca41e206eb458df24c5fad2b4ed955b100cf
SHA256ba0d259a3b06b4a8f8d1440e12c1e50ea6a72a2556dbb7035bb046a62c5f954c
SHA51245ae66d4bfec30e82c1c95d2beee15cbc5578e8402da4d99aab18b0e3600112d207b6670cc315453165756e8bef7c3302e69f80a4a775a436913028e8cf426a9
-
Filesize
344B
MD58fe9c2b5c76f53d7a2ca9e062a7bdd24
SHA1e4fad9c9d74a55f4fb02be669f4b26c7aac20542
SHA2567d64daf5565969f5489254adfd9a3c260082c4b4a9c8c7136543ad856b265bd6
SHA512365c4c844c8f234a092df99a72f985635401576b6f72b1e2f56166a25cafc100d7cb7d7991c2ba7d314664e892b6265fc423354e7be160e20d47ad7926911f05
-
Filesize
344B
MD5bae0513c0400a8f59bb6cc633811f8e8
SHA104be231a07f7709622ffd59f028176d1b31fc142
SHA2567c249aa7e73dfa84b6b00d1548a02a0df5e6dc531f36d8b73b0cf0106cbc1706
SHA512668118e1ab7f6b275bdaf294d8499afffb31a257452b11a2d4ec84099f9d31fa2364dc46ed8fac7a10d90342bf957d9812c7dccd646ee1712cf15511f748cebd
-
Filesize
344B
MD582ced04ab00a1f9622db2ef9dc2b75d5
SHA167d51f7b8d290892201cd9a3bc0ba0c587f95c68
SHA2562a4b46f24cb6af21bfa6277607be0a18dd33b3a19af8e68b7924287c38527093
SHA51219d987d74eeeb9bf3bbb3bf085ca346c005e3c139ed157ef0ce9c5c2f8c40d3cc34a5da8fb322f406160f4229523113dc1ae916eb285fcfdbd1ccd8d2c197e24
-
Filesize
344B
MD5877a0dc8d9bb43da207b828ca35ac35c
SHA1691609900183d99ac59b715fdf57d0e4e3ccceb6
SHA256277b43b6608b06c17d59597413297cefe26c9108f7a3f505eb83d8ba1158aa30
SHA5124b102fd5d44424c1e61e66245f18c751622e39bbbdeac343dbba0e18bdcc77f4eb45f1fb12a28197fef77456da17e2fc7e0993537e9cc40f85e547e702a94e59
-
Filesize
344B
MD580c8acfee92ecfe3be1b6122ab786159
SHA12a4585174cdb0e0a8daf04dd7be1e5e3d3e59e31
SHA256e6e2a62509d3299f63fdc5a2072b6d51a2b6357706c275b480c83bc7b609f7df
SHA512b751d4ea50cf6f6a94ac6c28277ff4d23a24dc7e40f10cf9355bf54c97cfdbe2deeef09bb1bceacce64d62e8c9bde4e6b264139a6a397f1f2671750630a94b4e
-
Filesize
344B
MD5e2f3255d4a2fa7f131798454a2f1a6ab
SHA1b86c07f1a774284790a66a2b8c46a011fa8361ee
SHA2562f52b6ee00d98eb053866846eb08ad4fd620c99039093f6c1e1f9a2ae2fe9579
SHA5124219c3eed6f9127cd08938ffed7f84bab65be9c3263c8c083cd098540ecf80957884d1cff3721cfa2cf4a836f8d78da88df441fdb13541fde8ddb8bbb9b1b07d
-
Filesize
344B
MD50709fee1c866e423616130a7f6fa6016
SHA1ef4372fbcb4bef528bd936baffb8cd194610f968
SHA256867c05650ae80be767e14162977cdba7f7fce3b2352fb5d095c63734cba2ef40
SHA512885b80e266959d8ecb57b1b54bf4073ccf7a837cfd42cfbcf70340b2ee8288b08ee7462d07ee5dfb11ba417a8026e79e2155c29213dcba5323edf880360029d2
-
Filesize
344B
MD5ce75c422e9dec7889a985a23a1c6db24
SHA1840d0c301d0af286812fcd6fd591d2906c186b48
SHA2561c6c4ec9761ea23a434be9d51567142a2171f53d18ed306bcfd385aaaca91764
SHA512f23b85146597d4765bf9af4f8e1c40c868bf6316a299913a61f65f788ed8922628c742a413cbec8eb1e6d4c6184f54272722df9cbcb4e01ede44dae85fbcc49a
-
Filesize
344B
MD5c04d657ada036c0933d5d5efa5fb2796
SHA19054bd755de9c884b19f55734d28ccecab5baded
SHA256f6bd0a4556b36a7d813495b56bb47d6eab0cb9c23334996934832fcc954d06be
SHA51253584e017e4070884b23e2dcf4efe69837966d16e8869450f2fe7f84a9bec395809008baeff6692bc7511b8c396e161c5c958aebec9c4195c7d69beb2e1791aa
-
Filesize
344B
MD548ef492f6ee03fce0bcc0b6e2ec4742c
SHA1e683ab4750f1aa2f1b94d503ebeca11709cd7223
SHA256b83aad636dc52f0205da1a62f50be3540605e75e7d444e0b0491be1e25492bef
SHA5123c58898f97e7ee1a28b03e17fb5eb36e065c9c4acbae2762f107b5a10091c142af1e339bdcd28bf6e2dbf05c6187670d0d4c7ec2d33ee680c27b9085a0d01ec9
-
Filesize
344B
MD54083e3cc7db48554bf9ab79bb8175bbc
SHA1ab82c1354df082516980ba4a941e6cbac34d1a5d
SHA256cc7ef1c3bcb86fa805422b356b3b365070fb9d8edc37313db55a0b9f08b1ce87
SHA5127134467ecd32f059bd98c0bd76d0a234b4e33760c9eaa323d801516a35c9a988af76b419b31debc74e21dd1ac34c5716e48b072c68914c93ce5ddc6e7c244b00
-
Filesize
344B
MD56dd7997240bd81b4a7c52af15f137de5
SHA1cf07c23180449f6e83c48d9e06e4d057e2224d13
SHA25640ce36549bf459af3721d38949d87ef3c7fc1a87d948b07604b2a94469be2204
SHA512674a235d26e76dd82a625d203243f6e157bf599f8ffcbff589b156b27fe56d47fe2e5d7a31162d0a064996e737592da4aa8ae1324681fffe7cf05537d86feaed
-
Filesize
344B
MD54364775f773e45ecf58ae95a03cdf20c
SHA188dd8dc24159462297963a30b6756aab32781fe3
SHA256ced243eae93c2e68c9ef216caef78635ed08512e4e76f9a5c79b048c6bf7e147
SHA5121a77fc5d804702aa30c3349bf9ffadab8ac6507649ad6f36051f3ea592ed6b3ebca49397d022a936b6447adcd5cdaa260948ac0c4514fac58ae070a2d7dd5402
-
Filesize
344B
MD51a0f0d8e34139296964f59ed96b2ba57
SHA11f91901bcba77db8ee577bebd16a0dff48f0b67e
SHA256c2d37acc730cc0a4708d42c852d332ad309f9810a7d47cbb1d2cb60b1e7d4154
SHA512b8da60322a815fe4676c7e5c8a5f806349ed37ba550e45cad472fa635fad3743a0854a72a10ce8d4a5d331ec3fa35c5bdc42a0c486962c3a961a2946491c12c9
-
Filesize
344B
MD5ece9ed432db8b8bcaba436e581f2dbc8
SHA1c20e020319379466fa759609b903017c5aa6384f
SHA25677a29a5b34af310320f259cf33723e6e69620c4d2f1a825e1f8cd4346695e2ce
SHA51219e77af90bdaec2e44cd05b82f2644728107a280fe7112028f75244f81a54608c8f6dbef9646eb076a25110ae1c857a869ef928226568296a8d60d368e4d1160
-
Filesize
344B
MD5666bb4d0f51c1ee09bbf35cba1d4e46d
SHA19d397829f333a4324c48c46c0be0a128394dd701
SHA25655ac35a5d579d9019d8827191dec3c0d7d9736dcbdb5fd71d2d87461f17e3504
SHA512ae40e7c28061e17ee66967ca4f2a4b432241e3b1084f86b38cefa1b88534c8e51bdfc380f630eed46f1165a95cd72b32a6a45ddbde000b2ace2fd9ea04ef22dc
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf
-
Filesize
151B
MD57e69d477101f4cc9323dd8b9dda440b0
SHA14da6be6bec26f506b29299dcd890bf6d57169f6e
SHA2565a649879217e2b0e6212c3c3a74d366de19de2e43836e5f8c3696fb7d4e82140
SHA512d43cb2151b1562be91871d1f4308e9fdd95762f7b4f31179a9afd1286cb640ff17905b8ae9897a4514fb62abedd0efe596231bdb902eccb6f0415b211857c120
-
Filesize
151B
MD57e69d477101f4cc9323dd8b9dda440b0
SHA14da6be6bec26f506b29299dcd890bf6d57169f6e
SHA2565a649879217e2b0e6212c3c3a74d366de19de2e43836e5f8c3696fb7d4e82140
SHA512d43cb2151b1562be91871d1f4308e9fdd95762f7b4f31179a9afd1286cb640ff17905b8ae9897a4514fb62abedd0efe596231bdb902eccb6f0415b211857c120
-
Filesize
896KB
MD5e478fc4b0c1091347240550446e2f7a2
SHA12c46e2b777dc7a29c17deaee98534069efa91586
SHA2566e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52
SHA5126476b53eeabeea7b97e0af0e41454ff713ba5c625ca2b8a4d211c9fb32ecca847ac85a39b28a0f5ac1a37628708df22da5aea99853b289c1bb911acc435345e3
-
Filesize
896KB
MD5e478fc4b0c1091347240550446e2f7a2
SHA12c46e2b777dc7a29c17deaee98534069efa91586
SHA2566e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52
SHA5126476b53eeabeea7b97e0af0e41454ff713ba5c625ca2b8a4d211c9fb32ecca847ac85a39b28a0f5ac1a37628708df22da5aea99853b289c1bb911acc435345e3
-
Filesize
896KB
MD5e478fc4b0c1091347240550446e2f7a2
SHA12c46e2b777dc7a29c17deaee98534069efa91586
SHA2566e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52
SHA5126476b53eeabeea7b97e0af0e41454ff713ba5c625ca2b8a4d211c9fb32ecca847ac85a39b28a0f5ac1a37628708df22da5aea99853b289c1bb911acc435345e3
-
Filesize
6.9MB
-
Filesize
912KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
280KB
-
Filesize
104KB
-
Filesize
6.9MB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
104KB
-
Filesize
6.9MB
-
Filesize
912KB
-
Filesize
256KB
-
Filesize
6.9MB