Analysis
-
max time kernel
117s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
22-10-2023 07:21
Static task
static1
Behavioral task
behavioral1
Sample
FACTURA065000000.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
FACTURA065000000.exe
Resource
win10v2004-20231020-en
General
-
Target
FACTURA065000000.exe
-
Size
328KB
-
MD5
ff81a14b73d0578f174ac77fda9afd59
-
SHA1
d6a94b13cd5bbc2bf9c611ef22420dc3310535f9
-
SHA256
d6e68eab347e95b242f3f1ea311f8a219253b6e9a95ad198d6b574fee149f2e0
-
SHA512
be966461531bd09f896357357bc5345dfc9d6237ab578a3c866e308b749410530bdef06a1fe4de81736149e2e381924954a534b86a23075f7962fc725c0d3426
-
SSDEEP
6144:UnPdudwD/EVDiMyfb+hYffxzElzvWVI9SrSLi1pS8Jqzrbh77f9U+:UnPdLbnb+OffpTI9xOqzJ39R
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2772-13-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral1/memory/2772-16-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral1/memory/2772-18-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral1/memory/2772-19-0x00000000001D0000-0x00000000001F4000-memory.dmp family_snakekeylogger behavioral1/memory/2772-22-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger -
Executes dropped EXE 3 IoCs
Processes:
ljkycg.exeljkycg.exeljkycg.exepid process 2928 ljkycg.exe 2756 ljkycg.exe 2772 ljkycg.exe -
Loads dropped DLL 3 IoCs
Processes:
FACTURA065000000.exeljkycg.exepid process 2416 FACTURA065000000.exe 2928 ljkycg.exe 2928 ljkycg.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
ljkycg.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ljkycg.exe Key opened \REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ljkycg.exe Key opened \REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ljkycg.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ljkycg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\yyueenjjsoxxhc = "C:\\Users\\Admin\\AppData\\Roaming\\uqaajffoxxtdd\\xhhqmvvfbbkggp.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ljkycg.exe\" " ljkycg.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ljkycg.exedescription pid process target process PID 2928 set thread context of 2772 2928 ljkycg.exe ljkycg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ljkycg.exepid process 2772 ljkycg.exe 2772 ljkycg.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
ljkycg.exepid process 2928 ljkycg.exe 2928 ljkycg.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ljkycg.exedescription pid process Token: SeDebugPrivilege 2772 ljkycg.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
FACTURA065000000.exeljkycg.exedescription pid process target process PID 2416 wrote to memory of 2928 2416 FACTURA065000000.exe ljkycg.exe PID 2416 wrote to memory of 2928 2416 FACTURA065000000.exe ljkycg.exe PID 2416 wrote to memory of 2928 2416 FACTURA065000000.exe ljkycg.exe PID 2416 wrote to memory of 2928 2416 FACTURA065000000.exe ljkycg.exe PID 2928 wrote to memory of 2756 2928 ljkycg.exe ljkycg.exe PID 2928 wrote to memory of 2756 2928 ljkycg.exe ljkycg.exe PID 2928 wrote to memory of 2756 2928 ljkycg.exe ljkycg.exe PID 2928 wrote to memory of 2756 2928 ljkycg.exe ljkycg.exe PID 2928 wrote to memory of 2772 2928 ljkycg.exe ljkycg.exe PID 2928 wrote to memory of 2772 2928 ljkycg.exe ljkycg.exe PID 2928 wrote to memory of 2772 2928 ljkycg.exe ljkycg.exe PID 2928 wrote to memory of 2772 2928 ljkycg.exe ljkycg.exe PID 2928 wrote to memory of 2772 2928 ljkycg.exe ljkycg.exe -
outlook_office_path 1 IoCs
Processes:
ljkycg.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ljkycg.exe -
outlook_win_path 1 IoCs
Processes:
ljkycg.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ljkycg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FACTURA065000000.exe"C:\Users\Admin\AppData\Local\Temp\FACTURA065000000.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\ljkycg.exe"C:\Users\Admin\AppData\Local\Temp\ljkycg.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\ljkycg.exe"C:\Users\Admin\AppData\Local\Temp\ljkycg.exe"3⤵
- Executes dropped EXE
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\ljkycg.exe"C:\Users\Admin\AppData\Local\Temp\ljkycg.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2772
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
223KB
MD555064cc77a862a8c6a684e3895e199d4
SHA1f8f24a4c758e5d40cebd79810f7f55a2f32f0bf0
SHA256ab5cf8775675995721a3c974e6e819ae3a52410b06dc214a845a1037980660d8
SHA512abd7b44ff47ddfa5dd1909bad51df25377220fff0457771a92b6afe4c0cb7082493af91854859d0dd87ce86a59e04bb4afaaf3c65261bb00f092b6f847e2b6d5
-
Filesize
172KB
MD58827d213de99bdc80c49b0c89ed1dd2c
SHA1ef12d6bfd1ee8b5e03e35209fef52e6a001aab4c
SHA2569c994eb7e25b6feba0696c7fce821540a3af55e7231659806ee9b8ebc68755d5
SHA512f52d03d982e4ea04d5d049677805f9093c3a476bb76455a243aea46994278bf52dc2515df510681384fe899a0b4a040c576343737e566bd5d67173ace98d9b53
-
Filesize
172KB
MD58827d213de99bdc80c49b0c89ed1dd2c
SHA1ef12d6bfd1ee8b5e03e35209fef52e6a001aab4c
SHA2569c994eb7e25b6feba0696c7fce821540a3af55e7231659806ee9b8ebc68755d5
SHA512f52d03d982e4ea04d5d049677805f9093c3a476bb76455a243aea46994278bf52dc2515df510681384fe899a0b4a040c576343737e566bd5d67173ace98d9b53
-
Filesize
172KB
MD58827d213de99bdc80c49b0c89ed1dd2c
SHA1ef12d6bfd1ee8b5e03e35209fef52e6a001aab4c
SHA2569c994eb7e25b6feba0696c7fce821540a3af55e7231659806ee9b8ebc68755d5
SHA512f52d03d982e4ea04d5d049677805f9093c3a476bb76455a243aea46994278bf52dc2515df510681384fe899a0b4a040c576343737e566bd5d67173ace98d9b53
-
Filesize
172KB
MD58827d213de99bdc80c49b0c89ed1dd2c
SHA1ef12d6bfd1ee8b5e03e35209fef52e6a001aab4c
SHA2569c994eb7e25b6feba0696c7fce821540a3af55e7231659806ee9b8ebc68755d5
SHA512f52d03d982e4ea04d5d049677805f9093c3a476bb76455a243aea46994278bf52dc2515df510681384fe899a0b4a040c576343737e566bd5d67173ace98d9b53
-
Filesize
172KB
MD58827d213de99bdc80c49b0c89ed1dd2c
SHA1ef12d6bfd1ee8b5e03e35209fef52e6a001aab4c
SHA2569c994eb7e25b6feba0696c7fce821540a3af55e7231659806ee9b8ebc68755d5
SHA512f52d03d982e4ea04d5d049677805f9093c3a476bb76455a243aea46994278bf52dc2515df510681384fe899a0b4a040c576343737e566bd5d67173ace98d9b53
-
Filesize
172KB
MD58827d213de99bdc80c49b0c89ed1dd2c
SHA1ef12d6bfd1ee8b5e03e35209fef52e6a001aab4c
SHA2569c994eb7e25b6feba0696c7fce821540a3af55e7231659806ee9b8ebc68755d5
SHA512f52d03d982e4ea04d5d049677805f9093c3a476bb76455a243aea46994278bf52dc2515df510681384fe899a0b4a040c576343737e566bd5d67173ace98d9b53
-
Filesize
172KB
MD58827d213de99bdc80c49b0c89ed1dd2c
SHA1ef12d6bfd1ee8b5e03e35209fef52e6a001aab4c
SHA2569c994eb7e25b6feba0696c7fce821540a3af55e7231659806ee9b8ebc68755d5
SHA512f52d03d982e4ea04d5d049677805f9093c3a476bb76455a243aea46994278bf52dc2515df510681384fe899a0b4a040c576343737e566bd5d67173ace98d9b53