Overview

overview

10

Static

static

3

Inquiry Pa...10.scr

windows7-x64

1

Inquiry Pa...10.scr

windows10-2004-x64

10

RFQ-1199211.exe

windows7-x64

1

RFQ-1199211.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-10-2023 03:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Inquiry Parts 2023-10.scr

  • Size

    769KB

  • MD5

    5effabc97480cc8fb3cfa6833d20e5ef

  • SHA1

    168c4247f596a89f73b081b20e214a74feed0109

  • SHA256

    18984ef29316e8b0ca4423e4f17418b23ec54e91bb7809ea5f840d03b618d987

  • SHA512

    fa77e8e1e805a98e46773b3a2b2301bff80134bfb764d8cc4b1b1563ec3ab964a82ae519582288c5f9e556d0964ae9c1c8c50c5d564be6581dc5091f757eb6bd

  • SSDEEP

    12288:CRvAblxM/xBzcFyHcJNdWfpuL19aoI+39k68:CRYbnM/Xzc3Nmpaz++h8

Score
10/10
snakekeyloggerkeyloggerpersistencestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6037842610:AAGtFhP2ARfeZprQQ-fc4jocpQJfZYmE3Vo/sendMessage?chat_id=5086753017

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Inquiry Parts 2023-10.scr
    "C:\Users\Admin\AppData\Local\Temp\Inquiry Parts 2023-10.scr" /S
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:100
    • C:\Users\Admin\AppData\Local\Temp\Inquiry Parts 2023-10.scr
      "C:\Users\Admin\AppData\Local\Temp\Inquiry Parts 2023-10.scr"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2344

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Inquiry Parts 2023-10.scr.log
    Filesize

    1KB

    MD5

    159a40ccfd419bd60a20a1c278edaafd

    SHA1

    09bc35e46135b6b44c609fe6514ab7e2c8696a99

    SHA256

    24487f4b6318683dcd81970e9f57fb45167575f687f7831a563176e20da657b6

    SHA512

    b5c5b8c23479afff6b72c37c2cc1204c079ae003bae586d082d2b05acfdab8753fea78c5e53f692e4a45aba6746703d9ca99a2d0fa7bd88a7f35a910d1ad1ff3

    Download Submit

  • memory/100-8-0x0000013C644E0000-0x0000013C644F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/100-14-0x00007FFE9EC20000-0x00007FFE9F6E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/100-3-0x0000013C644E0000-0x0000013C644F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/100-4-0x0000013C645F0000-0x0000013C64638000-memory.dmp

    Filesize

    288KB

    Download

  • memory/100-5-0x0000013C64680000-0x0000013C646B6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/100-6-0x0000013C64730000-0x0000013C6477C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/100-2-0x00007FFE9EC20000-0x00007FFE9F6E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/100-0-0x0000013C49E90000-0x0000013C49F54000-memory.dmp

    Filesize

    784KB

    Download

  • memory/100-7-0x00007FFE9EC20000-0x00007FFE9F6E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/100-1-0x0000013C4BAD0000-0x0000013C4BAD8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2344-10-0x0000000140000000-0x0000000140020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2344-13-0x00007FFE9EC20000-0x00007FFE9F6E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2344-15-0x000002291C4F0000-0x000002291C500000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2344-16-0x00007FFE9EC20000-0x00007FFE9F6E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2344-17-0x000002291C4F0000-0x000002291C500000-memory.dmp

    Filesize

    64KB

    Download