Analysis
-
max time kernel
72s -
max time network
180s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
12-11-2023 07:48
Static task
static1
Behavioral task
behavioral1
Sample
b28fed6e73d8203eeebe48b75835f1a6.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
b28fed6e73d8203eeebe48b75835f1a6.exe
Resource
win10v2004-20231020-en
General
-
Target
b28fed6e73d8203eeebe48b75835f1a6.exe
-
Size
522KB
-
MD5
b28fed6e73d8203eeebe48b75835f1a6
-
SHA1
45b15d54281ebd0a946fa905dd85c563a221ec90
-
SHA256
9797593a4d2f9d01dbb48e57bf0aa5bb970b6ad988f5f8df872ea6f29ece00df
-
SHA512
7e970c4e45d430b17f904c0721fb1cc64b9961b0776adc211ddc0e5ca9ae48594ffbd9004a7d5db23e39940e627c8d34cfb85332c2b4e206df901fe0a97f5cef
-
SSDEEP
12288:11DKzKH/PPM+WC/cj4KmuMT5FqQTkRmGCnmLS0beG3:vDKQ1q9mLu6mT7
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.gkas.com.tr - Port:
587 - Username:
[email protected] - Password:
Gkasteknik@2022
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2576-23-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2576-27-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2576-25-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2576-19-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2576-17-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 checkip.dyndns.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
b28fed6e73d8203eeebe48b75835f1a6.exepid process 2288 b28fed6e73d8203eeebe48b75835f1a6.exe 2288 b28fed6e73d8203eeebe48b75835f1a6.exe 2288 b28fed6e73d8203eeebe48b75835f1a6.exe 2288 b28fed6e73d8203eeebe48b75835f1a6.exe 2288 b28fed6e73d8203eeebe48b75835f1a6.exe 2288 b28fed6e73d8203eeebe48b75835f1a6.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
b28fed6e73d8203eeebe48b75835f1a6.exedescription pid process Token: SeDebugPrivilege 2288 b28fed6e73d8203eeebe48b75835f1a6.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
b28fed6e73d8203eeebe48b75835f1a6.exedescription pid process target process PID 2288 wrote to memory of 2600 2288 b28fed6e73d8203eeebe48b75835f1a6.exe powershell.exe PID 2288 wrote to memory of 2600 2288 b28fed6e73d8203eeebe48b75835f1a6.exe powershell.exe PID 2288 wrote to memory of 2600 2288 b28fed6e73d8203eeebe48b75835f1a6.exe powershell.exe PID 2288 wrote to memory of 2600 2288 b28fed6e73d8203eeebe48b75835f1a6.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b28fed6e73d8203eeebe48b75835f1a6.exe"C:\Users\Admin\AppData\Local\Temp\b28fed6e73d8203eeebe48b75835f1a6.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zCFxvYBsgbJO.exe"2⤵PID:2600
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zCFxvYBsgbJO" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA351.tmp"2⤵
- Creates scheduled task(s)
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\b28fed6e73d8203eeebe48b75835f1a6.exe"C:\Users\Admin\AppData\Local\Temp\b28fed6e73d8203eeebe48b75835f1a6.exe"2⤵PID:2576
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58d807fbee5cfd8feb08463239b18d23e
SHA1cbd5eea3c45e0eda5fd09e1413e01e270735c977
SHA25648e2433a7d4bc747e6bcb7c45c4a0cf7f9d5877920c95882a3d8e6b1421e8d7d
SHA512124e69ebe5b49b9e23657c641a905167292fc6327ae15c588de88511079ecc6e91b019f75bf2f3a0550762fce7472bbbc85ada6ebf649593fe1dab06372fd41c