Analysis
-
max time kernel
200s -
max time network
257s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2023 20:37
Static task
static1
Behavioral task
behavioral1
Sample
FACTRA09876545689000.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
FACTRA09876545689000.exe
Resource
win10v2004-20230915-en
General
-
Target
FACTRA09876545689000.exe
-
Size
473KB
-
MD5
1853308b40b353d110ecbd0c0e09b24a
-
SHA1
3b6f5aceb5d114178304588493eed2281718f358
-
SHA256
19f5a1432457383a9f992ee9b9ebf5e719b3709dc630146a083843a582d6996f
-
SHA512
f053ed9f68b5fd55f57e4cccf40271109c89e282fa67dc4a195a0c89b9d79198431ed785fbbb35450775feaa37235a288e3b28dfaa39f64611cb0fd8523c7b89
-
SSDEEP
12288:gkSMfMGuMFex9HNHfMGuMFex6R1SNjRZxF:jSMEGMSGMlNjR
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.sienkakupeste.com - Port:
587 - Username:
[email protected] - Password:
010203sienka++ - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3828-22-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
FACTRA09876545689000.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FACTRA09876545689000.exe Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FACTRA09876545689000.exe Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FACTRA09876545689000.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 64 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
FACTRA09876545689000.exedescription pid process target process PID 4136 set thread context of 3828 4136 FACTRA09876545689000.exe FACTRA09876545689000.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Powershell.exeFACTRA09876545689000.exepid process 988 Powershell.exe 3828 FACTRA09876545689000.exe 988 Powershell.exe 3828 FACTRA09876545689000.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Powershell.exeFACTRA09876545689000.exedescription pid process Token: SeDebugPrivilege 988 Powershell.exe Token: SeDebugPrivilege 3828 FACTRA09876545689000.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
FACTRA09876545689000.exedescription pid process target process PID 4136 wrote to memory of 988 4136 FACTRA09876545689000.exe Powershell.exe PID 4136 wrote to memory of 988 4136 FACTRA09876545689000.exe Powershell.exe PID 4136 wrote to memory of 988 4136 FACTRA09876545689000.exe Powershell.exe PID 4136 wrote to memory of 3828 4136 FACTRA09876545689000.exe FACTRA09876545689000.exe PID 4136 wrote to memory of 3828 4136 FACTRA09876545689000.exe FACTRA09876545689000.exe PID 4136 wrote to memory of 3828 4136 FACTRA09876545689000.exe FACTRA09876545689000.exe PID 4136 wrote to memory of 3828 4136 FACTRA09876545689000.exe FACTRA09876545689000.exe PID 4136 wrote to memory of 3828 4136 FACTRA09876545689000.exe FACTRA09876545689000.exe PID 4136 wrote to memory of 3828 4136 FACTRA09876545689000.exe FACTRA09876545689000.exe PID 4136 wrote to memory of 3828 4136 FACTRA09876545689000.exe FACTRA09876545689000.exe PID 4136 wrote to memory of 3828 4136 FACTRA09876545689000.exe FACTRA09876545689000.exe -
outlook_office_path 1 IoCs
Processes:
FACTRA09876545689000.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FACTRA09876545689000.exe -
outlook_win_path 1 IoCs
Processes:
FACTRA09876545689000.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FACTRA09876545689000.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FACTRA09876545689000.exe"C:\Users\Admin\AppData\Local\Temp\FACTRA09876545689000.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\FACTRA09876545689000.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:988 -
C:\Users\Admin\AppData\Local\Temp\FACTRA09876545689000.exe"C:\Users\Admin\AppData\Local\Temp\FACTRA09876545689000.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3828
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706B
MD5f8bcaf312de8591707436c1dcebba8e4
SHA1a1269828e5f644601622f4a7a611aec8f2eda0b2
SHA256f0f5a90777c70cdceea22bd66b33c1703a318acc45cb012d0b01585a1ac12b29
SHA5123a714f5950584abbc94a27bbd4623bfc5acb1135c8c9fca4d74e70c8481b71ace7dbc1dfbf101dd07c76a050acfb4852f31dd57fc7ae196382336c5edc9e6413
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82