Analysis
-
max time kernel
188s -
max time network
220s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
08-11-2023 07:58
Static task
static1
Behavioral task
behavioral1
Sample
SU RECEIPTS.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
SU RECEIPTS.exe
Resource
win10v2004-20231023-en
General
-
Target
SU RECEIPTS.exe
-
Size
45KB
-
MD5
8c1ecfec742a15ecea1270341f6fc233
-
SHA1
cad6e89bb9a46723d5c065118d84f8fa2d733b5b
-
SHA256
1a6df26ab226cce53ed57cf4d4a46afcacfed48d181ecf3cefc1547a86fa514e
-
SHA512
1cea0261f65f4faf58b9f6c06942f39eb898b0fc2a31719de3aa6be7842170d1cd69efc0c66d9406e076b38923e4d065a2afa50e1943f60ea9af5ad5a1800f74
-
SSDEEP
768:uyJEWTx+/DsoQpYZluRhLLZKT+LQEPKfrs4nMWp/YI4XuMI/t6nOa6Tyo:dnpBX7LQnjsL9o1t6Oa/o
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot6665362842:AAG0pFaR7HRKKztCR5GZinjteZ-4ePeXCWM/sendMessage?chat_id=1467583453
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4788-13-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
SU RECEIPTS.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SU RECEIPTS.exe Key opened \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SU RECEIPTS.exe Key opened \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SU RECEIPTS.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
SU RECEIPTS.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Avukehngtk = "C:\\Users\\Admin\\AppData\\Roaming\\Avukehngtk.exe" SU RECEIPTS.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 81 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SU RECEIPTS.exedescription pid process target process PID 2300 set thread context of 4788 2300 SU RECEIPTS.exe SU RECEIPTS.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
SU RECEIPTS.exepid process 4788 SU RECEIPTS.exe 4788 SU RECEIPTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SU RECEIPTS.exeSU RECEIPTS.exedescription pid process Token: SeDebugPrivilege 2300 SU RECEIPTS.exe Token: SeDebugPrivilege 4788 SU RECEIPTS.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
SU RECEIPTS.exedescription pid process target process PID 2300 wrote to memory of 4788 2300 SU RECEIPTS.exe SU RECEIPTS.exe PID 2300 wrote to memory of 4788 2300 SU RECEIPTS.exe SU RECEIPTS.exe PID 2300 wrote to memory of 4788 2300 SU RECEIPTS.exe SU RECEIPTS.exe PID 2300 wrote to memory of 4788 2300 SU RECEIPTS.exe SU RECEIPTS.exe PID 2300 wrote to memory of 4788 2300 SU RECEIPTS.exe SU RECEIPTS.exe PID 2300 wrote to memory of 4788 2300 SU RECEIPTS.exe SU RECEIPTS.exe PID 2300 wrote to memory of 4788 2300 SU RECEIPTS.exe SU RECEIPTS.exe PID 2300 wrote to memory of 4788 2300 SU RECEIPTS.exe SU RECEIPTS.exe -
outlook_office_path 1 IoCs
Processes:
SU RECEIPTS.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SU RECEIPTS.exe -
outlook_win_path 1 IoCs
Processes:
SU RECEIPTS.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SU RECEIPTS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SU RECEIPTS.exe"C:\Users\Admin\AppData\Local\Temp\SU RECEIPTS.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\SU RECEIPTS.exe"C:\Users\Admin\AppData\Local\Temp\SU RECEIPTS.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57ec52a18e14aaabdaa3ca494d0d2fcd6
SHA19da1ce116cfcc41e2943ce5866d844bb4b0c54f8
SHA256d3254d6b93af211373171a502e4f732a62fb26398a7c7f0cf89959630ccf5b22
SHA512efbee1ec6a5f5d2008f46a721ab45f8a8659e400def9fe3239a2131efdac5136472ea189f63cd6de5a21866b9e8eea1b5c574be62243376420ef84c9b32761c9