Analysis
-
max time kernel
78s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2023 19:26
Static task
static1
Behavioral task
behavioral1
Sample
Nhuhqpc.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
Nhuhqpc.exe
Resource
win10v2004-20230915-en
General
-
Target
Nhuhqpc.exe
-
Size
171KB
-
MD5
306561287324dcb749b051225c7ca686
-
SHA1
715ac0c7eb48a0ff536be8c8e9cf16e3bb62e3cd
-
SHA256
6caab57198e2e3cc5833f0b578e193c99230595f66ab98eb00f0fdae7d8c2c8a
-
SHA512
578128194a04788bae0321645f8100a0216e801c1d60251b830add12f63f6feb4f0d562deea5cd64bbe453b744fa49590b514856613b2c3eaae167ea88575f43
-
SSDEEP
1536:A1vldVVr/ETon7CdEZIPas6A5Adgl6nPUStsJhB9rMVcoXfRlXn:cYon7O/XigW6/wcoZl3
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot6429805701:AAEngMg5r6ewcqgGwVjFKJpjYF7Sc8nwhxA/sendMessage?chat_id=5262627523
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3472-9-0x0000000140000000-0x0000000140022000-memory.dmp family_snakekeylogger behavioral2/memory/3472-13-0x0000026B75BA0000-0x0000026B75BB0000-memory.dmp family_snakekeylogger -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Nhuhqpc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ssss = "C:\\Users\\Admin\\AppData\\Roaming\\ssss.exe" Nhuhqpc.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 65 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Nhuhqpc.exedescription pid process target process PID 1048 set thread context of 3472 1048 Nhuhqpc.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MSBuild.exepid process 3472 MSBuild.exe 3472 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Nhuhqpc.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 1048 Nhuhqpc.exe Token: SeDebugPrivilege 3472 MSBuild.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Nhuhqpc.exedescription pid process target process PID 1048 wrote to memory of 3472 1048 Nhuhqpc.exe MSBuild.exe PID 1048 wrote to memory of 3472 1048 Nhuhqpc.exe MSBuild.exe PID 1048 wrote to memory of 3472 1048 Nhuhqpc.exe MSBuild.exe PID 1048 wrote to memory of 3472 1048 Nhuhqpc.exe MSBuild.exe PID 1048 wrote to memory of 3472 1048 Nhuhqpc.exe MSBuild.exe PID 1048 wrote to memory of 3472 1048 Nhuhqpc.exe MSBuild.exe -
outlook_office_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
outlook_win_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nhuhqpc.exe"C:\Users\Admin\AppData\Local\Temp\Nhuhqpc.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3472