Analysis
-
max time kernel
44s -
max time network
164s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
14-11-2023 08:42
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe
-
Size
616KB
-
MD5
77521173381682b5a1deb286bce27bf4
-
SHA1
2ad56680cb0c821b18c269c63f4eeeb770140800
-
SHA256
1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6
-
SHA512
5366df45795f970f1b17113caf65c1e677b44da372cc85159fc4de4d8d32a08798aa4120cac956014c75fb71fce53ddfe8e76075b66c5f24e50a8f4a12254e53
-
SSDEEP
12288:h36N/bxyuAFnSz0cYMSE7a45naENKqIfPbY9QPNTURftb2pLuxQ:h3gqSznYMP5MbskYVapuQ
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.belt-tech.com.my - Port:
587 - Username:
[email protected] - Password:
Beltechpg@1234 - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1384-29-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/1384-33-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/1384-31-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/1384-25-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/1384-23-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 checkip.dyndns.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exepid process 2384 NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe 2384 NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe 2384 NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe 2384 NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe 2384 NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exedescription pid process Token: SeDebugPrivilege 2384 NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exedescription pid process target process PID 2384 wrote to memory of 2576 2384 NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe powershell.exe PID 2384 wrote to memory of 2576 2384 NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe powershell.exe PID 2384 wrote to memory of 2576 2384 NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe powershell.exe PID 2384 wrote to memory of 2576 2384 NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe"2⤵PID:2576
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BwmGnyPcYGIy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1239.tmp"2⤵
- Creates scheduled task(s)
PID:2596 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BwmGnyPcYGIy.exe"2⤵PID:2484
-
C:\Users\Admin\AppData\Local\Temp\NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe"2⤵PID:1384
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD545af8241c4b66cf61271c578425e947c
SHA1d47b95d15f9a881230079e36225c47a5d0b77cb1
SHA25658cf67312d5b2c36d4206223e22cb1cbd046d71208d624d0d05a9734b526351c
SHA51280a5999084edefd7de75ffa67bf35f80eb2682e117f1e9c091d04a4d6f62aab3fbb103f6839faa81be2caf28d9a6b98ab5e77701abe1c83ae3902ad8a027f789
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HBREKWVJ5TQRRZIJL6F8.temp
Filesize7KB
MD552e55a638ba400ae13f1369e5704f659
SHA17cf02613137394d5b827d4aada1bcb73d0a36e12
SHA256349cf9f634d4b19530aef0710e47498b671b0305d40fd7f2decc0a232957156b
SHA512cc8a38783a7272b54fca61af82519bc69208d360fc98c638d4b1256b99c1e7e8ce4d3f5872d07ca2380e01d7d756e301778985bb22a6b37b2d2571bd86fc0a3f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD552e55a638ba400ae13f1369e5704f659
SHA17cf02613137394d5b827d4aada1bcb73d0a36e12
SHA256349cf9f634d4b19530aef0710e47498b671b0305d40fd7f2decc0a232957156b
SHA512cc8a38783a7272b54fca61af82519bc69208d360fc98c638d4b1256b99c1e7e8ce4d3f5872d07ca2380e01d7d756e301778985bb22a6b37b2d2571bd86fc0a3f