Analysis
-
max time kernel
118s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
05-10-2023 08:39
Static task
static1
Behavioral task
behavioral1
Sample
SALESINVOICE0989-98656890.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
SALESINVOICE0989-98656890.exe
Resource
win10v2004-20230915-en
General
-
Target
SALESINVOICE0989-98656890.exe
-
Size
326KB
-
MD5
a3f30742d129cec41cc7855cbd20403d
-
SHA1
110cbb3899289b0f480a6bc641af892afb2568e3
-
SHA256
041c5a311445f3041b528f16d36805cb3c60320c2b79c8c8f43aee32e46e48ab
-
SHA512
a7569a005efe96eeb5f707678492f8260944d60674b01cbabc377a23a38150d1b4a0a23c1aca4f1c31064fdafd45d6e7694bb3c9e3942e54f04b587a7dc03469
-
SSDEEP
6144:UnPdudwD/EVDiex5+9CbK7ARtOEhmz13Nr2aRzSPa+YwIAWILW7:UnPdLbej+Qe7DSc13NKaoY97
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2304-11-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral1/memory/2304-15-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral1/memory/2304-16-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral1/memory/2304-19-0x0000000000250000-0x0000000000274000-memory.dmp family_snakekeylogger behavioral1/memory/2304-20-0x0000000002370000-0x00000000023B0000-memory.dmp family_snakekeylogger -
Executes dropped EXE 2 IoCs
Processes:
hzjflmil.exehzjflmil.exepid process 2684 hzjflmil.exe 2304 hzjflmil.exe -
Loads dropped DLL 2 IoCs
Processes:
SALESINVOICE0989-98656890.exehzjflmil.exepid process 2288 SALESINVOICE0989-98656890.exe 2684 hzjflmil.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
hzjflmil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hzjflmil.exe Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hzjflmil.exe Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hzjflmil.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
hzjflmil.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\pluueaajff = "C:\\Users\\Admin\\AppData\\Roaming\\foktto\\xxhddmvvrbbwgp.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hzjflmil.exe\" " hzjflmil.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
hzjflmil.exedescription pid process target process PID 2684 set thread context of 2304 2684 hzjflmil.exe hzjflmil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
hzjflmil.exepid process 2304 hzjflmil.exe 2304 hzjflmil.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
hzjflmil.exepid process 2684 hzjflmil.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
hzjflmil.exedescription pid process Token: SeDebugPrivilege 2304 hzjflmil.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
SALESINVOICE0989-98656890.exehzjflmil.exedescription pid process target process PID 2288 wrote to memory of 2684 2288 SALESINVOICE0989-98656890.exe hzjflmil.exe PID 2288 wrote to memory of 2684 2288 SALESINVOICE0989-98656890.exe hzjflmil.exe PID 2288 wrote to memory of 2684 2288 SALESINVOICE0989-98656890.exe hzjflmil.exe PID 2288 wrote to memory of 2684 2288 SALESINVOICE0989-98656890.exe hzjflmil.exe PID 2684 wrote to memory of 2304 2684 hzjflmil.exe hzjflmil.exe PID 2684 wrote to memory of 2304 2684 hzjflmil.exe hzjflmil.exe PID 2684 wrote to memory of 2304 2684 hzjflmil.exe hzjflmil.exe PID 2684 wrote to memory of 2304 2684 hzjflmil.exe hzjflmil.exe PID 2684 wrote to memory of 2304 2684 hzjflmil.exe hzjflmil.exe -
outlook_office_path 1 IoCs
Processes:
hzjflmil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hzjflmil.exe -
outlook_win_path 1 IoCs
Processes:
hzjflmil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hzjflmil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SALESINVOICE0989-98656890.exe"C:\Users\Admin\AppData\Local\Temp\SALESINVOICE0989-98656890.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Users\Admin\AppData\Local\Temp\hzjflmil.exe"C:\Users\Admin\AppData\Local\Temp\hzjflmil.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\hzjflmil.exe"C:\Users\Admin\AppData\Local\Temp\hzjflmil.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2304
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
223KB
MD5f93d3fed09bc17061d9091faa5d64670
SHA131638e50ba3cd6fba2fea531b1758ede81c8ee94
SHA256ce15106565518b3d2aa69c8df1bbfff59696f04331d3f15e11740450b484596a
SHA5128863288fd04a86af01a18ee1ba95707981d74b397d685c986fe29c0cab97f6f480fc5c51f40af57a27cff1c88d5c0ab65d5a44b627e925c8c2519b5c3c26dc02
-
Filesize
167KB
MD56b227882b2c28140a651f173b7d75455
SHA16b94c3c9df8e117ba34904bdbdb0c1151cb77196
SHA2565ee27e21cc6f3a38c31ae0f0968040b7bd4edf4d51b556665bbd8c78910cbd47
SHA512e81b4eea11b535759910ef7ee59111d0a85b93f50f91bfe74921abf3b3b8afdc5e0fe785f874f0768e41b78b17515e6cf57186f61bd8af54abe07ebdc852df45
-
Filesize
167KB
MD56b227882b2c28140a651f173b7d75455
SHA16b94c3c9df8e117ba34904bdbdb0c1151cb77196
SHA2565ee27e21cc6f3a38c31ae0f0968040b7bd4edf4d51b556665bbd8c78910cbd47
SHA512e81b4eea11b535759910ef7ee59111d0a85b93f50f91bfe74921abf3b3b8afdc5e0fe785f874f0768e41b78b17515e6cf57186f61bd8af54abe07ebdc852df45
-
Filesize
167KB
MD56b227882b2c28140a651f173b7d75455
SHA16b94c3c9df8e117ba34904bdbdb0c1151cb77196
SHA2565ee27e21cc6f3a38c31ae0f0968040b7bd4edf4d51b556665bbd8c78910cbd47
SHA512e81b4eea11b535759910ef7ee59111d0a85b93f50f91bfe74921abf3b3b8afdc5e0fe785f874f0768e41b78b17515e6cf57186f61bd8af54abe07ebdc852df45
-
Filesize
167KB
MD56b227882b2c28140a651f173b7d75455
SHA16b94c3c9df8e117ba34904bdbdb0c1151cb77196
SHA2565ee27e21cc6f3a38c31ae0f0968040b7bd4edf4d51b556665bbd8c78910cbd47
SHA512e81b4eea11b535759910ef7ee59111d0a85b93f50f91bfe74921abf3b3b8afdc5e0fe785f874f0768e41b78b17515e6cf57186f61bd8af54abe07ebdc852df45
-
Filesize
167KB
MD56b227882b2c28140a651f173b7d75455
SHA16b94c3c9df8e117ba34904bdbdb0c1151cb77196
SHA2565ee27e21cc6f3a38c31ae0f0968040b7bd4edf4d51b556665bbd8c78910cbd47
SHA512e81b4eea11b535759910ef7ee59111d0a85b93f50f91bfe74921abf3b3b8afdc5e0fe785f874f0768e41b78b17515e6cf57186f61bd8af54abe07ebdc852df45