Analysis
-
max time kernel
118s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
12-10-2023 02:10
Static task
static1
Behavioral task
behavioral1
Sample
fb6436801517f4cb1748ba4bf9df2df4.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
fb6436801517f4cb1748ba4bf9df2df4.exe
Resource
win10v2004-20230915-en
General
-
Target
fb6436801517f4cb1748ba4bf9df2df4.exe
-
Size
542KB
-
MD5
fb6436801517f4cb1748ba4bf9df2df4
-
SHA1
2c36e323268892dc7f9987fb5200ee1fb2336df0
-
SHA256
f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12
-
SHA512
77140f0e92be4f7b931f33949ef4640b8d02bebcc43e0aec97618eb731efb07acb0648efcc10af630f2440bc2c8fa45b3862b8d77ce5c3f9d908ac9b22bf6977
-
SSDEEP
12288:5tHparD6dh85k4Y5hLZwi3qjnb7svMufuul8ZxeizmFzx:h4Dqh5LPwi3YnsUufuLnRmH
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot6316392918:AAHcjKTVDupG6SMH3LkXAeVBgHKlqsAcmRU/sendMessage?chat_id=6445748530
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2060-25-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2060-27-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2060-31-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2060-33-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2060-36-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2624-39-0x0000000002780000-0x00000000027C0000-memory.dmp family_snakekeylogger -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
fb6436801517f4cb1748ba4bf9df2df4.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 fb6436801517f4cb1748ba4bf9df2df4.exe Key opened \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 fb6436801517f4cb1748ba4bf9df2df4.exe Key opened \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 fb6436801517f4cb1748ba4bf9df2df4.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fb6436801517f4cb1748ba4bf9df2df4.exedescription pid process target process PID 2372 set thread context of 2060 2372 fb6436801517f4cb1748ba4bf9df2df4.exe fb6436801517f4cb1748ba4bf9df2df4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
fb6436801517f4cb1748ba4bf9df2df4.exefb6436801517f4cb1748ba4bf9df2df4.exepowershell.exepowershell.exepid process 2372 fb6436801517f4cb1748ba4bf9df2df4.exe 2372 fb6436801517f4cb1748ba4bf9df2df4.exe 2060 fb6436801517f4cb1748ba4bf9df2df4.exe 2624 powershell.exe 2880 powershell.exe 2060 fb6436801517f4cb1748ba4bf9df2df4.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
fb6436801517f4cb1748ba4bf9df2df4.exefb6436801517f4cb1748ba4bf9df2df4.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2372 fb6436801517f4cb1748ba4bf9df2df4.exe Token: SeDebugPrivilege 2060 fb6436801517f4cb1748ba4bf9df2df4.exe Token: SeDebugPrivilege 2624 powershell.exe Token: SeDebugPrivilege 2880 powershell.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
fb6436801517f4cb1748ba4bf9df2df4.exedescription pid process target process PID 2372 wrote to memory of 2880 2372 fb6436801517f4cb1748ba4bf9df2df4.exe powershell.exe PID 2372 wrote to memory of 2880 2372 fb6436801517f4cb1748ba4bf9df2df4.exe powershell.exe PID 2372 wrote to memory of 2880 2372 fb6436801517f4cb1748ba4bf9df2df4.exe powershell.exe PID 2372 wrote to memory of 2880 2372 fb6436801517f4cb1748ba4bf9df2df4.exe powershell.exe PID 2372 wrote to memory of 2624 2372 fb6436801517f4cb1748ba4bf9df2df4.exe powershell.exe PID 2372 wrote to memory of 2624 2372 fb6436801517f4cb1748ba4bf9df2df4.exe powershell.exe PID 2372 wrote to memory of 2624 2372 fb6436801517f4cb1748ba4bf9df2df4.exe powershell.exe PID 2372 wrote to memory of 2624 2372 fb6436801517f4cb1748ba4bf9df2df4.exe powershell.exe PID 2372 wrote to memory of 2520 2372 fb6436801517f4cb1748ba4bf9df2df4.exe schtasks.exe PID 2372 wrote to memory of 2520 2372 fb6436801517f4cb1748ba4bf9df2df4.exe schtasks.exe PID 2372 wrote to memory of 2520 2372 fb6436801517f4cb1748ba4bf9df2df4.exe schtasks.exe PID 2372 wrote to memory of 2520 2372 fb6436801517f4cb1748ba4bf9df2df4.exe schtasks.exe PID 2372 wrote to memory of 2876 2372 fb6436801517f4cb1748ba4bf9df2df4.exe fb6436801517f4cb1748ba4bf9df2df4.exe PID 2372 wrote to memory of 2876 2372 fb6436801517f4cb1748ba4bf9df2df4.exe fb6436801517f4cb1748ba4bf9df2df4.exe PID 2372 wrote to memory of 2876 2372 fb6436801517f4cb1748ba4bf9df2df4.exe fb6436801517f4cb1748ba4bf9df2df4.exe PID 2372 wrote to memory of 2876 2372 fb6436801517f4cb1748ba4bf9df2df4.exe fb6436801517f4cb1748ba4bf9df2df4.exe PID 2372 wrote to memory of 2060 2372 fb6436801517f4cb1748ba4bf9df2df4.exe fb6436801517f4cb1748ba4bf9df2df4.exe PID 2372 wrote to memory of 2060 2372 fb6436801517f4cb1748ba4bf9df2df4.exe fb6436801517f4cb1748ba4bf9df2df4.exe PID 2372 wrote to memory of 2060 2372 fb6436801517f4cb1748ba4bf9df2df4.exe fb6436801517f4cb1748ba4bf9df2df4.exe PID 2372 wrote to memory of 2060 2372 fb6436801517f4cb1748ba4bf9df2df4.exe fb6436801517f4cb1748ba4bf9df2df4.exe PID 2372 wrote to memory of 2060 2372 fb6436801517f4cb1748ba4bf9df2df4.exe fb6436801517f4cb1748ba4bf9df2df4.exe PID 2372 wrote to memory of 2060 2372 fb6436801517f4cb1748ba4bf9df2df4.exe fb6436801517f4cb1748ba4bf9df2df4.exe PID 2372 wrote to memory of 2060 2372 fb6436801517f4cb1748ba4bf9df2df4.exe fb6436801517f4cb1748ba4bf9df2df4.exe PID 2372 wrote to memory of 2060 2372 fb6436801517f4cb1748ba4bf9df2df4.exe fb6436801517f4cb1748ba4bf9df2df4.exe PID 2372 wrote to memory of 2060 2372 fb6436801517f4cb1748ba4bf9df2df4.exe fb6436801517f4cb1748ba4bf9df2df4.exe -
outlook_office_path 1 IoCs
Processes:
fb6436801517f4cb1748ba4bf9df2df4.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 fb6436801517f4cb1748ba4bf9df2df4.exe -
outlook_win_path 1 IoCs
Processes:
fb6436801517f4cb1748ba4bf9df2df4.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 fb6436801517f4cb1748ba4bf9df2df4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb6436801517f4cb1748ba4bf9df2df4.exe"C:\Users\Admin\AppData\Local\Temp\fb6436801517f4cb1748ba4bf9df2df4.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fb6436801517f4cb1748ba4bf9df2df4.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dSirXQFPjw.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dSirXQFPjw" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD7B9.tmp"2⤵
- Creates scheduled task(s)
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\fb6436801517f4cb1748ba4bf9df2df4.exe"C:\Users\Admin\AppData\Local\Temp\fb6436801517f4cb1748ba4bf9df2df4.exe"2⤵PID:2876
-
C:\Users\Admin\AppData\Local\Temp\fb6436801517f4cb1748ba4bf9df2df4.exe"C:\Users\Admin\AppData\Local\Temp\fb6436801517f4cb1748ba4bf9df2df4.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2060
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52120d12e4177ed0ac0dd2dd4f434f145
SHA1a4298078cdbeb06838be11ef89c71cff54961e72
SHA256371a820c454ab459b805a29936157c9989b871060fa8b3c20e71b5b963c72a79
SHA512a2c40b8c79e6b22d2a47a643ba030112abb6b12917fbd3f62adaba613c326f170c0778f80398813c49fcfa60bde0d6c5ff4ca365da59c9ae2dc0e775a806d0d0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HF11T8X7LTE58LD7RJ67.temp
Filesize7KB
MD5750ce1e8d6099105f69d5f91e1a65f3c
SHA188acfe383653b76eb00617927855556f20435882
SHA256188f4db69d751bc74f6c7ce0ee42ab26dc625b4687c40737d6d9ae518696b27e
SHA512c056ae26a5dd957b3f9d8d76615ed6c79bff5d91deff83f27bb59310a09e5ec2e4204bde5f93e07fdae65b4e5fb6f74426bb70b7e5b14c96ea4dbba7427e381d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5750ce1e8d6099105f69d5f91e1a65f3c
SHA188acfe383653b76eb00617927855556f20435882
SHA256188f4db69d751bc74f6c7ce0ee42ab26dc625b4687c40737d6d9ae518696b27e
SHA512c056ae26a5dd957b3f9d8d76615ed6c79bff5d91deff83f27bb59310a09e5ec2e4204bde5f93e07fdae65b4e5fb6f74426bb70b7e5b14c96ea4dbba7427e381d