Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
25-10-2023 16:27
Static task
static1
Behavioral task
behavioral1
Sample
c222db0cd92214a58ae7eac53222c51b.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
c222db0cd92214a58ae7eac53222c51b.exe
Resource
win10v2004-20231020-en
General
-
Target
c222db0cd92214a58ae7eac53222c51b.exe
-
Size
563KB
-
MD5
c222db0cd92214a58ae7eac53222c51b
-
SHA1
3ce9bcf3c2e70b06bf2b4413487bf547f64e27ec
-
SHA256
eceb2e522f263fea7d5508f234654be5f08058200f3dd4cab31562578630334f
-
SHA512
f6287794961f47a0b1601caf087a313bfcfb4a3030f99712646aacb61aa464cd47a4d6535e247e99cd95678f00c4ac5984860697abb6cff33584a99fa49a1d8b
-
SSDEEP
12288:wOgR/mZRM+kZKaGCP28j/Y43BR4OTPxfHr0QPP0OJbarpr9ju:wOgkZR5kjGCP28jfRBt0Q3dJbap6
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.gulfparksuites.com - Port:
587 - Username:
[email protected] - Password:
Dammam2020
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/2944-16-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2944-17-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2944-20-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2944-25-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2944-27-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2944-29-0x0000000000A50000-0x0000000000A90000-memory.dmp family_snakekeylogger behavioral1/memory/2944-36-0x0000000000A50000-0x0000000000A90000-memory.dmp family_snakekeylogger -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
c222db0cd92214a58ae7eac53222c51b.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 c222db0cd92214a58ae7eac53222c51b.exe Key opened \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 c222db0cd92214a58ae7eac53222c51b.exe Key opened \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 c222db0cd92214a58ae7eac53222c51b.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
c222db0cd92214a58ae7eac53222c51b.exedescription pid process target process PID 1752 set thread context of 2944 1752 c222db0cd92214a58ae7eac53222c51b.exe c222db0cd92214a58ae7eac53222c51b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
c222db0cd92214a58ae7eac53222c51b.exepowershell.exepid process 2944 c222db0cd92214a58ae7eac53222c51b.exe 2944 c222db0cd92214a58ae7eac53222c51b.exe 2904 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
c222db0cd92214a58ae7eac53222c51b.exepowershell.exedescription pid process Token: SeDebugPrivilege 2944 c222db0cd92214a58ae7eac53222c51b.exe Token: SeDebugPrivilege 2904 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
c222db0cd92214a58ae7eac53222c51b.exedescription pid process target process PID 1752 wrote to memory of 2904 1752 c222db0cd92214a58ae7eac53222c51b.exe powershell.exe PID 1752 wrote to memory of 2904 1752 c222db0cd92214a58ae7eac53222c51b.exe powershell.exe PID 1752 wrote to memory of 2904 1752 c222db0cd92214a58ae7eac53222c51b.exe powershell.exe PID 1752 wrote to memory of 2904 1752 c222db0cd92214a58ae7eac53222c51b.exe powershell.exe PID 1752 wrote to memory of 2736 1752 c222db0cd92214a58ae7eac53222c51b.exe schtasks.exe PID 1752 wrote to memory of 2736 1752 c222db0cd92214a58ae7eac53222c51b.exe schtasks.exe PID 1752 wrote to memory of 2736 1752 c222db0cd92214a58ae7eac53222c51b.exe schtasks.exe PID 1752 wrote to memory of 2736 1752 c222db0cd92214a58ae7eac53222c51b.exe schtasks.exe PID 1752 wrote to memory of 2944 1752 c222db0cd92214a58ae7eac53222c51b.exe c222db0cd92214a58ae7eac53222c51b.exe PID 1752 wrote to memory of 2944 1752 c222db0cd92214a58ae7eac53222c51b.exe c222db0cd92214a58ae7eac53222c51b.exe PID 1752 wrote to memory of 2944 1752 c222db0cd92214a58ae7eac53222c51b.exe c222db0cd92214a58ae7eac53222c51b.exe PID 1752 wrote to memory of 2944 1752 c222db0cd92214a58ae7eac53222c51b.exe c222db0cd92214a58ae7eac53222c51b.exe PID 1752 wrote to memory of 2944 1752 c222db0cd92214a58ae7eac53222c51b.exe c222db0cd92214a58ae7eac53222c51b.exe PID 1752 wrote to memory of 2944 1752 c222db0cd92214a58ae7eac53222c51b.exe c222db0cd92214a58ae7eac53222c51b.exe PID 1752 wrote to memory of 2944 1752 c222db0cd92214a58ae7eac53222c51b.exe c222db0cd92214a58ae7eac53222c51b.exe PID 1752 wrote to memory of 2944 1752 c222db0cd92214a58ae7eac53222c51b.exe c222db0cd92214a58ae7eac53222c51b.exe PID 1752 wrote to memory of 2944 1752 c222db0cd92214a58ae7eac53222c51b.exe c222db0cd92214a58ae7eac53222c51b.exe -
outlook_office_path 1 IoCs
Processes:
c222db0cd92214a58ae7eac53222c51b.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 c222db0cd92214a58ae7eac53222c51b.exe -
outlook_win_path 1 IoCs
Processes:
c222db0cd92214a58ae7eac53222c51b.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 c222db0cd92214a58ae7eac53222c51b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c222db0cd92214a58ae7eac53222c51b.exe"C:\Users\Admin\AppData\Local\Temp\c222db0cd92214a58ae7eac53222c51b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZaLbrdlGvH.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZaLbrdlGvH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp445.tmp"2⤵
- Creates scheduled task(s)
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\c222db0cd92214a58ae7eac53222c51b.exe"C:\Users\Admin\AppData\Local\Temp\c222db0cd92214a58ae7eac53222c51b.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2944
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f028ea4251ec768d62a7d3316cfaa13d
SHA1594438bb260f445348c7197e78f084291e94728b
SHA2568a25bb2cbb7362ee4a0c858c40c9d5de26b5c7717b4239a6f9d4bc216dfd9b34
SHA5123bf6251f38db52996463df7e728c2a1853ef9365510e1cdea44515cc51ecee943a37967e31148989e20972482ed5bdeb1b950f2d6a6ddaa1a17ebbe02de68c0d