Analysis
-
max time kernel
165s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2023 19:25
Static task
static1
Behavioral task
behavioral1
Sample
04cb26da2d9222bf9204ad1f2307310c.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
04cb26da2d9222bf9204ad1f2307310c.exe
Resource
win10v2004-20230915-en
General
-
Target
04cb26da2d9222bf9204ad1f2307310c.exe
-
Size
679KB
-
MD5
04cb26da2d9222bf9204ad1f2307310c
-
SHA1
e80af5a2284c9cc5ec51315b8b95a5aecf62b449
-
SHA256
bce910742ec10a1cdffe6c194b65c2a66980dff76b5fdc56c46a6d9a9f41d48a
-
SHA512
528c78b8e02ecf36c85c4d0c023d57302efa6206d7e5caefb60c764fe648984faaaa434906e9014b54b5fa5a28169a8b6fc0da4a11c7e1529086017f6965b8e6
-
SSDEEP
12288:Kj40L5klf7Lr0QnQ3Ei9PyMHpEIKUFO2xgOZK7YDeCNAmC:KTLKjLr0QnQ1MoECksCCNAmC
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot6076917727:AAGbsf1c44EC0CR26JUQPsvvVqX6Ki5kb9k/sendMessage?chat_id=6282564049
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4208-20-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
04cb26da2d9222bf9204ad1f2307310c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation 04cb26da2d9222bf9204ad1f2307310c.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
04cb26da2d9222bf9204ad1f2307310c.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 04cb26da2d9222bf9204ad1f2307310c.exe Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 04cb26da2d9222bf9204ad1f2307310c.exe Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 04cb26da2d9222bf9204ad1f2307310c.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 66 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
04cb26da2d9222bf9204ad1f2307310c.exedescription pid process target process PID 4968 set thread context of 4208 4968 04cb26da2d9222bf9204ad1f2307310c.exe 04cb26da2d9222bf9204ad1f2307310c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4912 4208 WerFault.exe 04cb26da2d9222bf9204ad1f2307310c.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
04cb26da2d9222bf9204ad1f2307310c.exe04cb26da2d9222bf9204ad1f2307310c.exepowershell.exepid process 4968 04cb26da2d9222bf9204ad1f2307310c.exe 4968 04cb26da2d9222bf9204ad1f2307310c.exe 4968 04cb26da2d9222bf9204ad1f2307310c.exe 4968 04cb26da2d9222bf9204ad1f2307310c.exe 4968 04cb26da2d9222bf9204ad1f2307310c.exe 4968 04cb26da2d9222bf9204ad1f2307310c.exe 4968 04cb26da2d9222bf9204ad1f2307310c.exe 4968 04cb26da2d9222bf9204ad1f2307310c.exe 4208 04cb26da2d9222bf9204ad1f2307310c.exe 4208 04cb26da2d9222bf9204ad1f2307310c.exe 220 powershell.exe 220 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
04cb26da2d9222bf9204ad1f2307310c.exe04cb26da2d9222bf9204ad1f2307310c.exepowershell.exedescription pid process Token: SeDebugPrivilege 4968 04cb26da2d9222bf9204ad1f2307310c.exe Token: SeDebugPrivilege 4208 04cb26da2d9222bf9204ad1f2307310c.exe Token: SeDebugPrivilege 220 powershell.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
04cb26da2d9222bf9204ad1f2307310c.exedescription pid process target process PID 4968 wrote to memory of 220 4968 04cb26da2d9222bf9204ad1f2307310c.exe powershell.exe PID 4968 wrote to memory of 220 4968 04cb26da2d9222bf9204ad1f2307310c.exe powershell.exe PID 4968 wrote to memory of 220 4968 04cb26da2d9222bf9204ad1f2307310c.exe powershell.exe PID 4968 wrote to memory of 1400 4968 04cb26da2d9222bf9204ad1f2307310c.exe schtasks.exe PID 4968 wrote to memory of 1400 4968 04cb26da2d9222bf9204ad1f2307310c.exe schtasks.exe PID 4968 wrote to memory of 1400 4968 04cb26da2d9222bf9204ad1f2307310c.exe schtasks.exe PID 4968 wrote to memory of 4208 4968 04cb26da2d9222bf9204ad1f2307310c.exe 04cb26da2d9222bf9204ad1f2307310c.exe PID 4968 wrote to memory of 4208 4968 04cb26da2d9222bf9204ad1f2307310c.exe 04cb26da2d9222bf9204ad1f2307310c.exe PID 4968 wrote to memory of 4208 4968 04cb26da2d9222bf9204ad1f2307310c.exe 04cb26da2d9222bf9204ad1f2307310c.exe PID 4968 wrote to memory of 4208 4968 04cb26da2d9222bf9204ad1f2307310c.exe 04cb26da2d9222bf9204ad1f2307310c.exe PID 4968 wrote to memory of 4208 4968 04cb26da2d9222bf9204ad1f2307310c.exe 04cb26da2d9222bf9204ad1f2307310c.exe PID 4968 wrote to memory of 4208 4968 04cb26da2d9222bf9204ad1f2307310c.exe 04cb26da2d9222bf9204ad1f2307310c.exe PID 4968 wrote to memory of 4208 4968 04cb26da2d9222bf9204ad1f2307310c.exe 04cb26da2d9222bf9204ad1f2307310c.exe PID 4968 wrote to memory of 4208 4968 04cb26da2d9222bf9204ad1f2307310c.exe 04cb26da2d9222bf9204ad1f2307310c.exe -
outlook_office_path 1 IoCs
Processes:
04cb26da2d9222bf9204ad1f2307310c.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 04cb26da2d9222bf9204ad1f2307310c.exe -
outlook_win_path 1 IoCs
Processes:
04cb26da2d9222bf9204ad1f2307310c.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 04cb26da2d9222bf9204ad1f2307310c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04cb26da2d9222bf9204ad1f2307310c.exe"C:\Users\Admin\AppData\Local\Temp\04cb26da2d9222bf9204ad1f2307310c.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TiEZzc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:220 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TiEZzc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9A81.tmp"2⤵
- Creates scheduled task(s)
PID:1400 -
C:\Users\Admin\AppData\Local\Temp\04cb26da2d9222bf9204ad1f2307310c.exe"C:\Users\Admin\AppData\Local\Temp\04cb26da2d9222bf9204ad1f2307310c.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4208 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 14803⤵
- Program crash
PID:4912
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 4208 -ip 42081⤵PID:1896
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\04cb26da2d9222bf9204ad1f2307310c.exe.log
Filesize1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5ec33d019de1bb7f186e7eafd82aaba95
SHA16a96c1fbe3d41d92ef64aba134fa39951c767b75
SHA256278c93c12e08e245986fe334cd5f632702172238483e647e1579c92f791d873a
SHA5124d5f1edc304fa27f3b7b264926543799a5ec5e921b063c3cc0992831895e52c0966ec6ed77679af77016025f18f2c752e21578e72546cd1443f0901733abe3c8