Analysis
-
max time kernel
119s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
13-11-2023 16:39
Static task
static1
Behavioral task
behavioral1
Sample
TRANSFERI.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
TRANSFERI.exe
Resource
win10v2004-20231020-en
General
-
Target
TRANSFERI.exe
-
Size
616KB
-
MD5
77521173381682b5a1deb286bce27bf4
-
SHA1
2ad56680cb0c821b18c269c63f4eeeb770140800
-
SHA256
1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6
-
SHA512
5366df45795f970f1b17113caf65c1e677b44da372cc85159fc4de4d8d32a08798aa4120cac956014c75fb71fce53ddfe8e76075b66c5f24e50a8f4a12254e53
-
SSDEEP
12288:h36N/bxyuAFnSz0cYMSE7a45naENKqIfPbY9QPNTURftb2pLuxQ:h3gqSznYMP5MbskYVapuQ
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.belt-tech.com.my - Port:
587 - Username:
[email protected] - Password:
Beltechpg@1234 - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2740-23-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2740-25-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2740-30-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2740-32-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2740-35-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2792-39-0x00000000026D0000-0x0000000002710000-memory.dmp family_snakekeylogger -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
TRANSFERI.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TRANSFERI.exe Key opened \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TRANSFERI.exe Key opened \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TRANSFERI.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
TRANSFERI.exedescription pid process target process PID 2064 set thread context of 2740 2064 TRANSFERI.exe TRANSFERI.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
TRANSFERI.exeTRANSFERI.exepowershell.exepowershell.exepid process 2064 TRANSFERI.exe 2064 TRANSFERI.exe 2064 TRANSFERI.exe 2064 TRANSFERI.exe 2064 TRANSFERI.exe 2064 TRANSFERI.exe 2740 TRANSFERI.exe 2792 powershell.exe 2724 powershell.exe 2740 TRANSFERI.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
TRANSFERI.exeTRANSFERI.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2064 TRANSFERI.exe Token: SeDebugPrivilege 2740 TRANSFERI.exe Token: SeDebugPrivilege 2792 powershell.exe Token: SeDebugPrivilege 2724 powershell.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
TRANSFERI.exedescription pid process target process PID 2064 wrote to memory of 2792 2064 TRANSFERI.exe powershell.exe PID 2064 wrote to memory of 2792 2064 TRANSFERI.exe powershell.exe PID 2064 wrote to memory of 2792 2064 TRANSFERI.exe powershell.exe PID 2064 wrote to memory of 2792 2064 TRANSFERI.exe powershell.exe PID 2064 wrote to memory of 2724 2064 TRANSFERI.exe powershell.exe PID 2064 wrote to memory of 2724 2064 TRANSFERI.exe powershell.exe PID 2064 wrote to memory of 2724 2064 TRANSFERI.exe powershell.exe PID 2064 wrote to memory of 2724 2064 TRANSFERI.exe powershell.exe PID 2064 wrote to memory of 2836 2064 TRANSFERI.exe schtasks.exe PID 2064 wrote to memory of 2836 2064 TRANSFERI.exe schtasks.exe PID 2064 wrote to memory of 2836 2064 TRANSFERI.exe schtasks.exe PID 2064 wrote to memory of 2836 2064 TRANSFERI.exe schtasks.exe PID 2064 wrote to memory of 2592 2064 TRANSFERI.exe TRANSFERI.exe PID 2064 wrote to memory of 2592 2064 TRANSFERI.exe TRANSFERI.exe PID 2064 wrote to memory of 2592 2064 TRANSFERI.exe TRANSFERI.exe PID 2064 wrote to memory of 2592 2064 TRANSFERI.exe TRANSFERI.exe PID 2064 wrote to memory of 2740 2064 TRANSFERI.exe TRANSFERI.exe PID 2064 wrote to memory of 2740 2064 TRANSFERI.exe TRANSFERI.exe PID 2064 wrote to memory of 2740 2064 TRANSFERI.exe TRANSFERI.exe PID 2064 wrote to memory of 2740 2064 TRANSFERI.exe TRANSFERI.exe PID 2064 wrote to memory of 2740 2064 TRANSFERI.exe TRANSFERI.exe PID 2064 wrote to memory of 2740 2064 TRANSFERI.exe TRANSFERI.exe PID 2064 wrote to memory of 2740 2064 TRANSFERI.exe TRANSFERI.exe PID 2064 wrote to memory of 2740 2064 TRANSFERI.exe TRANSFERI.exe PID 2064 wrote to memory of 2740 2064 TRANSFERI.exe TRANSFERI.exe -
outlook_office_path 1 IoCs
Processes:
TRANSFERI.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TRANSFERI.exe -
outlook_win_path 1 IoCs
Processes:
TRANSFERI.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TRANSFERI.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TRANSFERI.exe"C:\Users\Admin\AppData\Local\Temp\TRANSFERI.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\TRANSFERI.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BwmGnyPcYGIy.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BwmGnyPcYGIy" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC35F.tmp"2⤵
- Creates scheduled task(s)
PID:2836 -
C:\Users\Admin\AppData\Local\Temp\TRANSFERI.exe"C:\Users\Admin\AppData\Local\Temp\TRANSFERI.exe"2⤵PID:2592
-
C:\Users\Admin\AppData\Local\Temp\TRANSFERI.exe"C:\Users\Admin\AppData\Local\Temp\TRANSFERI.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2740
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b93630b8adc1f4a4d8ff069083d9b65d
SHA11216938072abf1d7097b0b614b7d2e6a959f0b05
SHA25662fad959838b77bfd34497cfda6556bec75c56e2c842b254f3fb28c073f52338
SHA512adc54e0f4c37728b271584b9ec9486eb1062a9cc97d210f7fc201f0d444ea7972ef70eae75cceadb53f4fef4380aa2344369b2cf4f922452a4ca4bcf24a941c1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KTYAK0NG559UD5W18UI4.temp
Filesize7KB
MD5595e763305ec89029d104fac2edea3a3
SHA1313917d69cfc4f1b5634278cdf06c9a1b294f0ac
SHA256db929da2ef54b4e00dd6267974f24555d5b8df2e1e52abfa6f478200bf7b68d0
SHA5120241cf84c9a3024204dcbe91a74e2c13c00f1b6544151f22bbf85e7b2b3e7e9d176d1e5aead9e583414c914803baad003aa7545933891f5354b64934050ceceb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5595e763305ec89029d104fac2edea3a3
SHA1313917d69cfc4f1b5634278cdf06c9a1b294f0ac
SHA256db929da2ef54b4e00dd6267974f24555d5b8df2e1e52abfa6f478200bf7b68d0
SHA5120241cf84c9a3024204dcbe91a74e2c13c00f1b6544151f22bbf85e7b2b3e7e9d176d1e5aead9e583414c914803baad003aa7545933891f5354b64934050ceceb