Analysis
-
max time kernel
118s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
01-11-2023 06:18
Static task
static1
Behavioral task
behavioral1
Sample
U1su8hmVj4ourFo.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
U1su8hmVj4ourFo.exe
Resource
win10v2004-20231020-en
General
-
Target
U1su8hmVj4ourFo.exe
-
Size
696KB
-
MD5
6948d3ae7ef630dd997b7d09e17159a0
-
SHA1
f22729b5b442119a1de75e12af90e3d97a1de68c
-
SHA256
b8c9a4161e9621de6e7fa177230bd3841a575a00f0456b54efab368046479722
-
SHA512
a11f351dd83dcb96485ae834085f28eb740b3295dbaa550acb717b0084a0a6cff9568a5084f7b690edea2c4f537ced85185d5735618bcebce993656f751cb751
-
SSDEEP
12288:6p11OhPAWlfRexM/YUPH6NFusNkmXuQcKyHQu:6O5AWlfRAFNMSMQcKBu
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5764904494:AAFs_l-L1X-oXjUJWZbsXjBMAreHGetTJvw/sendMessage?chat_id=5582419717
Signatures
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3068-7-0x0000000004F00000-0x0000000004F62000-memory.dmp family_zgrat_v1 -
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2012-22-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2012-21-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2012-24-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2012-27-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2012-29-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2264-31-0x00000000001C0000-0x0000000000200000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
U1su8hmVj4ourFo.exedescription pid process target process PID 3068 set thread context of 2012 3068 U1su8hmVj4ourFo.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MSBuild.exepowershell.exepid process 2012 MSBuild.exe 2264 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
MSBuild.exepowershell.exedescription pid process Token: SeDebugPrivilege 2012 MSBuild.exe Token: SeDebugPrivilege 2264 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
U1su8hmVj4ourFo.exedescription pid process target process PID 3068 wrote to memory of 2264 3068 U1su8hmVj4ourFo.exe powershell.exe PID 3068 wrote to memory of 2264 3068 U1su8hmVj4ourFo.exe powershell.exe PID 3068 wrote to memory of 2264 3068 U1su8hmVj4ourFo.exe powershell.exe PID 3068 wrote to memory of 2264 3068 U1su8hmVj4ourFo.exe powershell.exe PID 3068 wrote to memory of 2556 3068 U1su8hmVj4ourFo.exe schtasks.exe PID 3068 wrote to memory of 2556 3068 U1su8hmVj4ourFo.exe schtasks.exe PID 3068 wrote to memory of 2556 3068 U1su8hmVj4ourFo.exe schtasks.exe PID 3068 wrote to memory of 2556 3068 U1su8hmVj4ourFo.exe schtasks.exe PID 3068 wrote to memory of 2012 3068 U1su8hmVj4ourFo.exe MSBuild.exe PID 3068 wrote to memory of 2012 3068 U1su8hmVj4ourFo.exe MSBuild.exe PID 3068 wrote to memory of 2012 3068 U1su8hmVj4ourFo.exe MSBuild.exe PID 3068 wrote to memory of 2012 3068 U1su8hmVj4ourFo.exe MSBuild.exe PID 3068 wrote to memory of 2012 3068 U1su8hmVj4ourFo.exe MSBuild.exe PID 3068 wrote to memory of 2012 3068 U1su8hmVj4ourFo.exe MSBuild.exe PID 3068 wrote to memory of 2012 3068 U1su8hmVj4ourFo.exe MSBuild.exe PID 3068 wrote to memory of 2012 3068 U1su8hmVj4ourFo.exe MSBuild.exe PID 3068 wrote to memory of 2012 3068 U1su8hmVj4ourFo.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\U1su8hmVj4ourFo.exe"C:\Users\Admin\AppData\Local\Temp\U1su8hmVj4ourFo.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ovQRCl.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2264 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ovQRCl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE659.tmp"2⤵
- Creates scheduled task(s)
PID:2556 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b67dd3522ac7fae63229ea0adfabd1e1
SHA1fab63efe56380e4c3fc21194bf6c543c33396e91
SHA256d6cc33fd7c51d82a9da2b3a5d1056b0ccdda00891d3c8a37f6759a21e2a78aa3
SHA512bd7450f19135ff123c5ebac44e16ba53cde259f94ce5a2d3c717e398f115e3f427ca836bc72c2b4220da11c77596aaec0aea3578e31c0acdde9855f8fa4b1a4a