Analysis
-
max time kernel
137s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
06-10-2023 12:11
Static task
static1
Behavioral task
behavioral1
Sample
041c5a311445f3041b528f16d36805cb3c60320c2b79c8c8f43aee32e46e48ab_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
041c5a311445f3041b528f16d36805cb3c60320c2b79c8c8f43aee32e46e48ab_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
041c5a311445f3041b528f16d36805cb3c60320c2b79c8c8f43aee32e46e48ab_JC.exe
-
Size
326KB
-
MD5
a3f30742d129cec41cc7855cbd20403d
-
SHA1
110cbb3899289b0f480a6bc641af892afb2568e3
-
SHA256
041c5a311445f3041b528f16d36805cb3c60320c2b79c8c8f43aee32e46e48ab
-
SHA512
a7569a005efe96eeb5f707678492f8260944d60674b01cbabc377a23a38150d1b4a0a23c1aca4f1c31064fdafd45d6e7694bb3c9e3942e54f04b587a7dc03469
-
SSDEEP
6144:UnPdudwD/EVDiex5+9CbK7ARtOEhmz13Nr2aRzSPa+YwIAWILW7:UnPdLbej+Qe7DSc13NKaoY97
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/4148-8-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral2/memory/4148-11-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral2/memory/4148-10-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral2/memory/4148-12-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral2/memory/4148-16-0x00000000027B0000-0x00000000027D4000-memory.dmp family_snakekeylogger behavioral2/memory/4148-17-0x0000000004E80000-0x0000000004E90000-memory.dmp family_snakekeylogger -
Executes dropped EXE 2 IoCs
Processes:
hzjflmil.exehzjflmil.exepid process 1516 hzjflmil.exe 4148 hzjflmil.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
hzjflmil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hzjflmil.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hzjflmil.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hzjflmil.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
hzjflmil.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pluueaajff = "C:\\Users\\Admin\\AppData\\Roaming\\foktto\\xxhddmvvrbbwgp.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hzjflmil.exe\" " hzjflmil.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 37 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
hzjflmil.exedescription pid process target process PID 1516 set thread context of 4148 1516 hzjflmil.exe hzjflmil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
hzjflmil.exepid process 4148 hzjflmil.exe 4148 hzjflmil.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
hzjflmil.exepid process 1516 hzjflmil.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
hzjflmil.exedescription pid process Token: SeDebugPrivilege 4148 hzjflmil.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
041c5a311445f3041b528f16d36805cb3c60320c2b79c8c8f43aee32e46e48ab_JC.exehzjflmil.exedescription pid process target process PID 4144 wrote to memory of 1516 4144 041c5a311445f3041b528f16d36805cb3c60320c2b79c8c8f43aee32e46e48ab_JC.exe hzjflmil.exe PID 4144 wrote to memory of 1516 4144 041c5a311445f3041b528f16d36805cb3c60320c2b79c8c8f43aee32e46e48ab_JC.exe hzjflmil.exe PID 4144 wrote to memory of 1516 4144 041c5a311445f3041b528f16d36805cb3c60320c2b79c8c8f43aee32e46e48ab_JC.exe hzjflmil.exe PID 1516 wrote to memory of 4148 1516 hzjflmil.exe hzjflmil.exe PID 1516 wrote to memory of 4148 1516 hzjflmil.exe hzjflmil.exe PID 1516 wrote to memory of 4148 1516 hzjflmil.exe hzjflmil.exe PID 1516 wrote to memory of 4148 1516 hzjflmil.exe hzjflmil.exe -
outlook_office_path 1 IoCs
Processes:
hzjflmil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hzjflmil.exe -
outlook_win_path 1 IoCs
Processes:
hzjflmil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hzjflmil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\041c5a311445f3041b528f16d36805cb3c60320c2b79c8c8f43aee32e46e48ab_JC.exe"C:\Users\Admin\AppData\Local\Temp\041c5a311445f3041b528f16d36805cb3c60320c2b79c8c8f43aee32e46e48ab_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Users\Admin\AppData\Local\Temp\hzjflmil.exe"C:\Users\Admin\AppData\Local\Temp\hzjflmil.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\hzjflmil.exe"C:\Users\Admin\AppData\Local\Temp\hzjflmil.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4148
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
223KB
MD5f93d3fed09bc17061d9091faa5d64670
SHA131638e50ba3cd6fba2fea531b1758ede81c8ee94
SHA256ce15106565518b3d2aa69c8df1bbfff59696f04331d3f15e11740450b484596a
SHA5128863288fd04a86af01a18ee1ba95707981d74b397d685c986fe29c0cab97f6f480fc5c51f40af57a27cff1c88d5c0ab65d5a44b627e925c8c2519b5c3c26dc02
-
Filesize
167KB
MD56b227882b2c28140a651f173b7d75455
SHA16b94c3c9df8e117ba34904bdbdb0c1151cb77196
SHA2565ee27e21cc6f3a38c31ae0f0968040b7bd4edf4d51b556665bbd8c78910cbd47
SHA512e81b4eea11b535759910ef7ee59111d0a85b93f50f91bfe74921abf3b3b8afdc5e0fe785f874f0768e41b78b17515e6cf57186f61bd8af54abe07ebdc852df45
-
Filesize
167KB
MD56b227882b2c28140a651f173b7d75455
SHA16b94c3c9df8e117ba34904bdbdb0c1151cb77196
SHA2565ee27e21cc6f3a38c31ae0f0968040b7bd4edf4d51b556665bbd8c78910cbd47
SHA512e81b4eea11b535759910ef7ee59111d0a85b93f50f91bfe74921abf3b3b8afdc5e0fe785f874f0768e41b78b17515e6cf57186f61bd8af54abe07ebdc852df45
-
Filesize
167KB
MD56b227882b2c28140a651f173b7d75455
SHA16b94c3c9df8e117ba34904bdbdb0c1151cb77196
SHA2565ee27e21cc6f3a38c31ae0f0968040b7bd4edf4d51b556665bbd8c78910cbd47
SHA512e81b4eea11b535759910ef7ee59111d0a85b93f50f91bfe74921abf3b3b8afdc5e0fe785f874f0768e41b78b17515e6cf57186f61bd8af54abe07ebdc852df45