Analysis
-
max time kernel
120s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
13-11-2023 16:37
Static task
static1
Behavioral task
behavioral1
Sample
ekstre.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
ekstre.exe
Resource
win10v2004-20231023-en
General
-
Target
ekstre.exe
-
Size
628KB
-
MD5
7eec1e611d996a5f2792c9778da882bc
-
SHA1
90b7ad77edd7e61499d8e0160490bce4c9366934
-
SHA256
1d7069432d20883d8bf613e91d3a78de608bb7e7fa2b6daf1252e5da9a717ba2
-
SHA512
3bcb54831392b6b6c0c976f4c9940590e0095d14859d02a639a0908ef131039d323f5601a142196c47e6d43f473f3fd8999b47c79f247380660e1eb413b91bea
-
SSDEEP
12288:QWOTNXc3hEunBAFnSuBVZ60SwMPAF98gb8X+SHucpVHGH:332uBqSu9FHMPAF76+SLVHG
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.alupanorama.com.my - Port:
587 - Username:
[email protected] - Password:
t9&KsFB5dPgV - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2516-24-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2516-26-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2516-30-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2516-32-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2516-35-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
ekstre.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ekstre.exe Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ekstre.exe Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ekstre.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ekstre.exedescription pid process target process PID 1788 set thread context of 2516 1788 ekstre.exe ekstre.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
ekstre.exeekstre.exepowershell.exepowershell.exepid process 1788 ekstre.exe 1788 ekstre.exe 1788 ekstre.exe 1788 ekstre.exe 2516 ekstre.exe 2748 powershell.exe 2712 powershell.exe 2516 ekstre.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
ekstre.exeekstre.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1788 ekstre.exe Token: SeDebugPrivilege 2516 ekstre.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 2748 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
ekstre.exedescription pid process target process PID 1788 wrote to memory of 2712 1788 ekstre.exe powershell.exe PID 1788 wrote to memory of 2712 1788 ekstre.exe powershell.exe PID 1788 wrote to memory of 2712 1788 ekstre.exe powershell.exe PID 1788 wrote to memory of 2712 1788 ekstre.exe powershell.exe PID 1788 wrote to memory of 2748 1788 ekstre.exe powershell.exe PID 1788 wrote to memory of 2748 1788 ekstre.exe powershell.exe PID 1788 wrote to memory of 2748 1788 ekstre.exe powershell.exe PID 1788 wrote to memory of 2748 1788 ekstre.exe powershell.exe PID 1788 wrote to memory of 2076 1788 ekstre.exe schtasks.exe PID 1788 wrote to memory of 2076 1788 ekstre.exe schtasks.exe PID 1788 wrote to memory of 2076 1788 ekstre.exe schtasks.exe PID 1788 wrote to memory of 2076 1788 ekstre.exe schtasks.exe PID 1788 wrote to memory of 2516 1788 ekstre.exe ekstre.exe PID 1788 wrote to memory of 2516 1788 ekstre.exe ekstre.exe PID 1788 wrote to memory of 2516 1788 ekstre.exe ekstre.exe PID 1788 wrote to memory of 2516 1788 ekstre.exe ekstre.exe PID 1788 wrote to memory of 2516 1788 ekstre.exe ekstre.exe PID 1788 wrote to memory of 2516 1788 ekstre.exe ekstre.exe PID 1788 wrote to memory of 2516 1788 ekstre.exe ekstre.exe PID 1788 wrote to memory of 2516 1788 ekstre.exe ekstre.exe PID 1788 wrote to memory of 2516 1788 ekstre.exe ekstre.exe -
outlook_office_path 1 IoCs
Processes:
ekstre.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ekstre.exe -
outlook_win_path 1 IoCs
Processes:
ekstre.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ekstre.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ekstre.exe"C:\Users\Admin\AppData\Local\Temp\ekstre.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ekstre.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PjzCeIhiuryZzE.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PjzCeIhiuryZzE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF289.tmp"2⤵
- Creates scheduled task(s)
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\ekstre.exe"C:\Users\Admin\AppData\Local\Temp\ekstre.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2516
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD565826f5710d0ac055d1733953c71278b
SHA12a5784dd8e447569438a1a00d89b6dedb898d91c
SHA256c85305155a502b696fd8f54a25e5382baebd2859372760776bf63bdcad532649
SHA51268dd952524a6ad5286194959af1d47343f7ec5c99c9b9ff9a9ab5c4f06ea456452aa584a13f6ebaa3439e7d6fd3520e36c778c18b16ccd29d5d15e06071bb69c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KCUZRG73LGVL1YAKGDTP.temp
Filesize7KB
MD57e86e9945cb35d8cca7724511357e500
SHA10acbeb39ee64a76e3f85099a8cf86ab4ec53081a
SHA25654a78bc512744dc43260132f22b6b61dfe5c4f32a318e954f7d8250073d373f8
SHA5123c9273e47c2e8947a4956ca4cb0fcad6da128273ae9555a29e40bddf4a5d225de76247dec347b1776545002c03eec2cf406d6d48fdc2ee7dc03b2b2cff43d5d8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD57e86e9945cb35d8cca7724511357e500
SHA10acbeb39ee64a76e3f85099a8cf86ab4ec53081a
SHA25654a78bc512744dc43260132f22b6b61dfe5c4f32a318e954f7d8250073d373f8
SHA5123c9273e47c2e8947a4956ca4cb0fcad6da128273ae9555a29e40bddf4a5d225de76247dec347b1776545002c03eec2cf406d6d48fdc2ee7dc03b2b2cff43d5d8