Overview

overview

10

Static

static

1

c9f2aae3ea...ff.exe

windows7-x64

10

c9f2aae3ea...ff.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    11-10-2023 13:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe

  • Size

    692KB

  • MD5

    f0683bb61a43a8dd7061dbd8ee3af88b

  • SHA1

    c94587218dc3ce9bd66e7ebe23c720ca50afd989

  • SHA256

    c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff

  • SHA512

    7bc496ee73cbc6d5fa86edde2154c50cdc2aedc50fb98f368fecb30294888e1a59ec507d23a4b5b4ab2dee5dad22ea868caaea2e1b56d7e76f70b57567a5e2d7

  • SSDEEP

    12288:x8avfjKnHHYHq03Lytq3SRlW5cY26RTTmsp2TDNJ0/el69Q01ZLkrai9i+Plb5py:x8ef8HCbB2W57/TTmq2TDNJ0mM9NipgH

Score
10/10
snakekeyloggercollectionevasionkeyloggerpersistencestealertrojan

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    mail.gkas.com.tr
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Gkasteknik@2022

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 3 IoCs
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
    "C:\Users\Admin\AppData\Local\Temp\c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2340
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:2936
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp6BFC.tmp.bat""
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:2780
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • UAC bypass
        • Windows security bypass
        • Executes dropped EXE
        • Windows security modification
        • Checks whether UAC is enabled
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:2460
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2428
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
          4⤵
            PID:2504
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
            4⤵
              PID:2552
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
              4⤵
              • Accesses Microsoft Outlook profiles
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • outlook_office_path
              • outlook_win_path
              PID:1116

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp6BFC.tmp.bat
        Filesize

        151B

        MD5

        45abcae9685213431296cff9f2c97bd1

        SHA1

        3fbd47b4cb0924df4ff4800c1e92920bf712a254

        SHA256

        794e2d39fb2fb12a3289f00fbb97a0eed65ff750ab2864ebf2d00b2f4b4a87b7

        SHA512

        9e638239e9af5f2506c89129335a1184399d0fb9e27fe56d97cc38d1e6bd853853a798d262fc8c86f615237e42897e56f7e23b6a25812a4e795b909a1ef6dc5d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp6BFC.tmp.bat
        Filesize

        151B

        MD5

        45abcae9685213431296cff9f2c97bd1

        SHA1

        3fbd47b4cb0924df4ff4800c1e92920bf712a254

        SHA256

        794e2d39fb2fb12a3289f00fbb97a0eed65ff750ab2864ebf2d00b2f4b4a87b7

        SHA512

        9e638239e9af5f2506c89129335a1184399d0fb9e27fe56d97cc38d1e6bd853853a798d262fc8c86f615237e42897e56f7e23b6a25812a4e795b909a1ef6dc5d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\svchost.exe
        Filesize

        692KB

        MD5

        f0683bb61a43a8dd7061dbd8ee3af88b

        SHA1

        c94587218dc3ce9bd66e7ebe23c720ca50afd989

        SHA256

        c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff

        SHA512

        7bc496ee73cbc6d5fa86edde2154c50cdc2aedc50fb98f368fecb30294888e1a59ec507d23a4b5b4ab2dee5dad22ea868caaea2e1b56d7e76f70b57567a5e2d7

        Download Submit

      • C:\Users\Admin\AppData\Roaming\svchost.exe
        Filesize

        692KB

        MD5

        f0683bb61a43a8dd7061dbd8ee3af88b

        SHA1

        c94587218dc3ce9bd66e7ebe23c720ca50afd989

        SHA256

        c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff

        SHA512

        7bc496ee73cbc6d5fa86edde2154c50cdc2aedc50fb98f368fecb30294888e1a59ec507d23a4b5b4ab2dee5dad22ea868caaea2e1b56d7e76f70b57567a5e2d7

        Download Submit

      • \Users\Admin\AppData\Roaming\svchost.exe
        Filesize

        692KB

        MD5

        f0683bb61a43a8dd7061dbd8ee3af88b

        SHA1

        c94587218dc3ce9bd66e7ebe23c720ca50afd989

        SHA256

        c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff

        SHA512

        7bc496ee73cbc6d5fa86edde2154c50cdc2aedc50fb98f368fecb30294888e1a59ec507d23a4b5b4ab2dee5dad22ea868caaea2e1b56d7e76f70b57567a5e2d7

        Download Submit

      • memory/1116-24-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/1116-22-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/1116-31-0x00000000043C0000-0x0000000004400000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1116-27-0x0000000074B00000-0x00000000751EE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1116-26-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/1116-36-0x0000000074B00000-0x00000000751EE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2244-2-0x00000000048D0000-0x0000000004910000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2244-0-0x0000000074B50000-0x000000007523E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2244-1-0x0000000000030000-0x00000000000E2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/2244-4-0x0000000000490000-0x00000000004AA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2244-3-0x00000000047F0000-0x0000000004860000-memory.dmp

        Filesize

        448KB

        Download

      • memory/2244-14-0x0000000074B50000-0x000000007523E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2428-32-0x0000000070380000-0x000000007092B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2428-34-0x0000000002570000-0x00000000025B0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2428-35-0x0000000070380000-0x000000007092B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2428-33-0x0000000070380000-0x000000007092B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2460-18-0x0000000000130000-0x00000000001E2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/2460-28-0x0000000074B00000-0x00000000751EE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2460-21-0x00000000006F0000-0x000000000070A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2460-20-0x0000000004B20000-0x0000000004B60000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2460-19-0x0000000074B00000-0x00000000751EE000-memory.dmp

        Filesize

        6.9MB

        Download