Analysis
-
max time kernel
198s -
max time network
218s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2023 19:32
Static task
static1
Behavioral task
behavioral1
Sample
Nhuhqpc.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
Nhuhqpc.exe
Resource
win10v2004-20230915-en
General
-
Target
Nhuhqpc.exe
-
Size
171KB
-
MD5
306561287324dcb749b051225c7ca686
-
SHA1
715ac0c7eb48a0ff536be8c8e9cf16e3bb62e3cd
-
SHA256
6caab57198e2e3cc5833f0b578e193c99230595f66ab98eb00f0fdae7d8c2c8a
-
SHA512
578128194a04788bae0321645f8100a0216e801c1d60251b830add12f63f6feb4f0d562deea5cd64bbe453b744fa49590b514856613b2c3eaae167ea88575f43
-
SSDEEP
1536:A1vldVVr/ETon7CdEZIPas6A5Adgl6nPUStsJhB9rMVcoXfRlXn:cYon7O/XigW6/wcoZl3
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot6429805701:AAEngMg5r6ewcqgGwVjFKJpjYF7Sc8nwhxA/sendMessage?chat_id=5262627523
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4992-9-0x0000000140000000-0x0000000140022000-memory.dmp family_snakekeylogger -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Nhuhqpc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ssss = "C:\\Users\\Admin\\AppData\\Roaming\\ssss.exe" Nhuhqpc.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 59 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Nhuhqpc.exedescription pid process target process PID 4112 set thread context of 4992 4112 Nhuhqpc.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MSBuild.exepid process 4992 MSBuild.exe 4992 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Nhuhqpc.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 4112 Nhuhqpc.exe Token: SeDebugPrivilege 4992 MSBuild.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Nhuhqpc.exedescription pid process target process PID 4112 wrote to memory of 4992 4112 Nhuhqpc.exe MSBuild.exe PID 4112 wrote to memory of 4992 4112 Nhuhqpc.exe MSBuild.exe PID 4112 wrote to memory of 4992 4112 Nhuhqpc.exe MSBuild.exe PID 4112 wrote to memory of 4992 4112 Nhuhqpc.exe MSBuild.exe PID 4112 wrote to memory of 4992 4112 Nhuhqpc.exe MSBuild.exe PID 4112 wrote to memory of 4992 4112 Nhuhqpc.exe MSBuild.exe -
outlook_office_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
outlook_win_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nhuhqpc.exe"C:\Users\Admin\AppData\Local\Temp\Nhuhqpc.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4992