Analysis
-
max time kernel
117s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
11-10-2023 13:46
Static task
static1
Behavioral task
behavioral1
Sample
c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
Resource
win10v2004-20230915-en
General
-
Target
c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
-
Size
692KB
-
MD5
f0683bb61a43a8dd7061dbd8ee3af88b
-
SHA1
c94587218dc3ce9bd66e7ebe23c720ca50afd989
-
SHA256
c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff
-
SHA512
7bc496ee73cbc6d5fa86edde2154c50cdc2aedc50fb98f368fecb30294888e1a59ec507d23a4b5b4ab2dee5dad22ea868caaea2e1b56d7e76f70b57567a5e2d7
-
SSDEEP
12288:x8avfjKnHHYHq03Lytq3SRlW5cY26RTTmsp2TDNJ0/el69Q01ZLkrai9i+Plb5py:x8ef8HCbB2W57/TTmq2TDNJ0mM9NipgH
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.gkas.com.tr - Port:
587 - Username:
[email protected] - Password:
Gkasteknik@2022
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1116-22-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/1116-24-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/1116-26-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger -
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0" svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2460 svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2716 cmd.exe -
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0" svchost.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
jsc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe -
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 2460 set thread context of 1116 2460 svchost.exe jsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2780 timeout.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exesvchost.exejsc.exepowershell.exepid process 2244 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe 2244 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe 2460 svchost.exe 2460 svchost.exe 2460 svchost.exe 2460 svchost.exe 1116 jsc.exe 2428 powershell.exe 1116 jsc.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exesvchost.exejsc.exepowershell.exedescription pid process Token: SeDebugPrivilege 2244 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe Token: SeDebugPrivilege 2460 svchost.exe Token: SeDebugPrivilege 1116 jsc.exe Token: SeDebugPrivilege 2428 powershell.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.execmd.execmd.exesvchost.exedescription pid process target process PID 2244 wrote to memory of 2340 2244 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe cmd.exe PID 2244 wrote to memory of 2340 2244 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe cmd.exe PID 2244 wrote to memory of 2340 2244 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe cmd.exe PID 2244 wrote to memory of 2340 2244 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe cmd.exe PID 2244 wrote to memory of 2716 2244 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe cmd.exe PID 2244 wrote to memory of 2716 2244 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe cmd.exe PID 2244 wrote to memory of 2716 2244 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe cmd.exe PID 2244 wrote to memory of 2716 2244 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe cmd.exe PID 2340 wrote to memory of 2936 2340 cmd.exe schtasks.exe PID 2340 wrote to memory of 2936 2340 cmd.exe schtasks.exe PID 2340 wrote to memory of 2936 2340 cmd.exe schtasks.exe PID 2340 wrote to memory of 2936 2340 cmd.exe schtasks.exe PID 2716 wrote to memory of 2780 2716 cmd.exe timeout.exe PID 2716 wrote to memory of 2780 2716 cmd.exe timeout.exe PID 2716 wrote to memory of 2780 2716 cmd.exe timeout.exe PID 2716 wrote to memory of 2780 2716 cmd.exe timeout.exe PID 2716 wrote to memory of 2460 2716 cmd.exe svchost.exe PID 2716 wrote to memory of 2460 2716 cmd.exe svchost.exe PID 2716 wrote to memory of 2460 2716 cmd.exe svchost.exe PID 2716 wrote to memory of 2460 2716 cmd.exe svchost.exe PID 2460 wrote to memory of 2428 2460 svchost.exe powershell.exe PID 2460 wrote to memory of 2428 2460 svchost.exe powershell.exe PID 2460 wrote to memory of 2428 2460 svchost.exe powershell.exe PID 2460 wrote to memory of 2428 2460 svchost.exe powershell.exe PID 2460 wrote to memory of 2504 2460 svchost.exe aspnet_compiler.exe PID 2460 wrote to memory of 2504 2460 svchost.exe aspnet_compiler.exe PID 2460 wrote to memory of 2504 2460 svchost.exe aspnet_compiler.exe PID 2460 wrote to memory of 2504 2460 svchost.exe aspnet_compiler.exe PID 2460 wrote to memory of 2552 2460 svchost.exe aspnet_wp.exe PID 2460 wrote to memory of 2552 2460 svchost.exe aspnet_wp.exe PID 2460 wrote to memory of 2552 2460 svchost.exe aspnet_wp.exe PID 2460 wrote to memory of 2552 2460 svchost.exe aspnet_wp.exe PID 2460 wrote to memory of 1116 2460 svchost.exe jsc.exe PID 2460 wrote to memory of 1116 2460 svchost.exe jsc.exe PID 2460 wrote to memory of 1116 2460 svchost.exe jsc.exe PID 2460 wrote to memory of 1116 2460 svchost.exe jsc.exe PID 2460 wrote to memory of 1116 2460 svchost.exe jsc.exe PID 2460 wrote to memory of 1116 2460 svchost.exe jsc.exe PID 2460 wrote to memory of 1116 2460 svchost.exe jsc.exe PID 2460 wrote to memory of 1116 2460 svchost.exe jsc.exe PID 2460 wrote to memory of 1116 2460 svchost.exe jsc.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
outlook_office_path 1 IoCs
Processes:
jsc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe -
outlook_win_path 1 IoCs
Processes:
jsc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe"C:\Users\Admin\AppData\Local\Temp\c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
PID:2936 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp6BFC.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2780 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2460 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2428 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"4⤵PID:2504
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"4⤵PID:2552
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"4⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1116
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151B
MD545abcae9685213431296cff9f2c97bd1
SHA13fbd47b4cb0924df4ff4800c1e92920bf712a254
SHA256794e2d39fb2fb12a3289f00fbb97a0eed65ff750ab2864ebf2d00b2f4b4a87b7
SHA5129e638239e9af5f2506c89129335a1184399d0fb9e27fe56d97cc38d1e6bd853853a798d262fc8c86f615237e42897e56f7e23b6a25812a4e795b909a1ef6dc5d
-
Filesize
151B
MD545abcae9685213431296cff9f2c97bd1
SHA13fbd47b4cb0924df4ff4800c1e92920bf712a254
SHA256794e2d39fb2fb12a3289f00fbb97a0eed65ff750ab2864ebf2d00b2f4b4a87b7
SHA5129e638239e9af5f2506c89129335a1184399d0fb9e27fe56d97cc38d1e6bd853853a798d262fc8c86f615237e42897e56f7e23b6a25812a4e795b909a1ef6dc5d
-
Filesize
692KB
MD5f0683bb61a43a8dd7061dbd8ee3af88b
SHA1c94587218dc3ce9bd66e7ebe23c720ca50afd989
SHA256c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff
SHA5127bc496ee73cbc6d5fa86edde2154c50cdc2aedc50fb98f368fecb30294888e1a59ec507d23a4b5b4ab2dee5dad22ea868caaea2e1b56d7e76f70b57567a5e2d7
-
Filesize
692KB
MD5f0683bb61a43a8dd7061dbd8ee3af88b
SHA1c94587218dc3ce9bd66e7ebe23c720ca50afd989
SHA256c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff
SHA5127bc496ee73cbc6d5fa86edde2154c50cdc2aedc50fb98f368fecb30294888e1a59ec507d23a4b5b4ab2dee5dad22ea868caaea2e1b56d7e76f70b57567a5e2d7
-
Filesize
692KB
MD5f0683bb61a43a8dd7061dbd8ee3af88b
SHA1c94587218dc3ce9bd66e7ebe23c720ca50afd989
SHA256c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff
SHA5127bc496ee73cbc6d5fa86edde2154c50cdc2aedc50fb98f368fecb30294888e1a59ec507d23a4b5b4ab2dee5dad22ea868caaea2e1b56d7e76f70b57567a5e2d7