Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
05-10-2023 03:48
Static task
static1
Behavioral task
behavioral1
Sample
Inquiry Parts 2023-10.scr
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
Inquiry Parts 2023-10.scr
Resource
win10v2004-20230915-en
Behavioral task
behavioral3
Sample
RFQ-1199211.exe
Resource
win7-20230831-en
Behavioral task
behavioral4
Sample
RFQ-1199211.exe
Resource
win10v2004-20230915-en
General
-
Target
Inquiry Parts 2023-10.scr
-
Size
769KB
-
MD5
5effabc97480cc8fb3cfa6833d20e5ef
-
SHA1
168c4247f596a89f73b081b20e214a74feed0109
-
SHA256
18984ef29316e8b0ca4423e4f17418b23ec54e91bb7809ea5f840d03b618d987
-
SHA512
fa77e8e1e805a98e46773b3a2b2301bff80134bfb764d8cc4b1b1563ec3ab964a82ae519582288c5f9e556d0964ae9c1c8c50c5d564be6581dc5091f757eb6bd
-
SSDEEP
12288:CRvAblxM/xBzcFyHcJNdWfpuL19aoI+39k68:CRYbnM/Xzc3Nmpaz++h8
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot6037842610:AAGtFhP2ARfeZprQQ-fc4jocpQJfZYmE3Vo/sendMessage?chat_id=5086753017
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2344-10-0x0000000140000000-0x0000000140020000-memory.dmp family_snakekeylogger -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Inquiry Parts 2023-10.scrdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sthcunpxxo = "C:\\Users\\Admin\\AppData\\Roaming\\Sthcunpxxo.exe" Inquiry Parts 2023-10.scr -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 81 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Inquiry Parts 2023-10.scrdescription pid process target process PID 100 set thread context of 2344 100 Inquiry Parts 2023-10.scr Inquiry Parts 2023-10.scr -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Inquiry Parts 2023-10.scrpid process 2344 Inquiry Parts 2023-10.scr -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Inquiry Parts 2023-10.scrInquiry Parts 2023-10.scrdescription pid process Token: SeDebugPrivilege 100 Inquiry Parts 2023-10.scr Token: SeDebugPrivilege 2344 Inquiry Parts 2023-10.scr -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Inquiry Parts 2023-10.scrdescription pid process target process PID 100 wrote to memory of 2344 100 Inquiry Parts 2023-10.scr Inquiry Parts 2023-10.scr PID 100 wrote to memory of 2344 100 Inquiry Parts 2023-10.scr Inquiry Parts 2023-10.scr PID 100 wrote to memory of 2344 100 Inquiry Parts 2023-10.scr Inquiry Parts 2023-10.scr PID 100 wrote to memory of 2344 100 Inquiry Parts 2023-10.scr Inquiry Parts 2023-10.scr PID 100 wrote to memory of 2344 100 Inquiry Parts 2023-10.scr Inquiry Parts 2023-10.scr PID 100 wrote to memory of 2344 100 Inquiry Parts 2023-10.scr Inquiry Parts 2023-10.scr
Processes
-
C:\Users\Admin\AppData\Local\Temp\Inquiry Parts 2023-10.scr"C:\Users\Admin\AppData\Local\Temp\Inquiry Parts 2023-10.scr" /S1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:100 -
C:\Users\Admin\AppData\Local\Temp\Inquiry Parts 2023-10.scr"C:\Users\Admin\AppData\Local\Temp\Inquiry Parts 2023-10.scr"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5159a40ccfd419bd60a20a1c278edaafd
SHA109bc35e46135b6b44c609fe6514ab7e2c8696a99
SHA25624487f4b6318683dcd81970e9f57fb45167575f687f7831a563176e20da657b6
SHA512b5c5b8c23479afff6b72c37c2cc1204c079ae003bae586d082d2b05acfdab8753fea78c5e53f692e4a45aba6746703d9ca99a2d0fa7bd88a7f35a910d1ad1ff3