Overview

overview

10

Static

static

3

NEAS.1de5d...d6.exe

windows7-x64

10

NEAS.1de5d...d6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    44s
  • max time network
    164s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    14-11-2023 08:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe

  • Size

    616KB

  • MD5

    77521173381682b5a1deb286bce27bf4

  • SHA1

    2ad56680cb0c821b18c269c63f4eeeb770140800

  • SHA256

    1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6

  • SHA512

    5366df45795f970f1b17113caf65c1e677b44da372cc85159fc4de4d8d32a08798aa4120cac956014c75fb71fce53ddfe8e76075b66c5f24e50a8f4a12254e53

  • SSDEEP

    12288:h36N/bxyuAFnSz0cYMSE7a45naENKqIfPbY9QPNTURftb2pLuxQ:h3gqSznYMP5MbskYVapuQ

Score
10/10
snakekeyloggerkeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 5 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe"
      2⤵
        PID:2576
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BwmGnyPcYGIy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1239.tmp"
        2⤵
        • Creates scheduled task(s)
        PID:2596
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BwmGnyPcYGIy.exe"
        2⤵
          PID:2484
        • C:\Users\Admin\AppData\Local\Temp\NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe
          "C:\Users\Admin\AppData\Local\Temp\NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe"
          2⤵
            PID:1384

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp1239.tmp
          Filesize

          1KB

          MD5

          45af8241c4b66cf61271c578425e947c

          SHA1

          d47b95d15f9a881230079e36225c47a5d0b77cb1

          SHA256

          58cf67312d5b2c36d4206223e22cb1cbd046d71208d624d0d05a9734b526351c

          SHA512

          80a5999084edefd7de75ffa67bf35f80eb2682e117f1e9c091d04a4d6f62aab3fbb103f6839faa81be2caf28d9a6b98ab5e77701abe1c83ae3902ad8a027f789

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HBREKWVJ5TQRRZIJL6F8.temp
          Filesize

          7KB

          MD5

          52e55a638ba400ae13f1369e5704f659

          SHA1

          7cf02613137394d5b827d4aada1bcb73d0a36e12

          SHA256

          349cf9f634d4b19530aef0710e47498b671b0305d40fd7f2decc0a232957156b

          SHA512

          cc8a38783a7272b54fca61af82519bc69208d360fc98c638d4b1256b99c1e7e8ce4d3f5872d07ca2380e01d7d756e301778985bb22a6b37b2d2571bd86fc0a3f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
          Filesize

          7KB

          MD5

          52e55a638ba400ae13f1369e5704f659

          SHA1

          7cf02613137394d5b827d4aada1bcb73d0a36e12

          SHA256

          349cf9f634d4b19530aef0710e47498b671b0305d40fd7f2decc0a232957156b

          SHA512

          cc8a38783a7272b54fca61af82519bc69208d360fc98c638d4b1256b99c1e7e8ce4d3f5872d07ca2380e01d7d756e301778985bb22a6b37b2d2571bd86fc0a3f

          Download Submit

        • memory/1384-22-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/1384-25-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/1384-50-0x0000000000690000-0x00000000006D0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/1384-49-0x0000000074560000-0x0000000074C4E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1384-20-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/1384-45-0x0000000000690000-0x00000000006D0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/1384-44-0x0000000074560000-0x0000000074C4E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1384-23-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/1384-29-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/1384-33-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/1384-31-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/1384-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2384-1-0x0000000074560000-0x0000000074C4E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2384-5-0x0000000000410000-0x000000000041A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2384-34-0x0000000074560000-0x0000000074C4E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2384-0-0x0000000001180000-0x000000000121E000-memory.dmp

          Filesize

          632KB

          Download

        • memory/2384-6-0x0000000001120000-0x0000000001180000-memory.dmp

          Filesize

          384KB

          Download

        • memory/2384-4-0x0000000074560000-0x0000000074C4E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2384-7-0x0000000004C10000-0x0000000004C50000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2384-3-0x00000000002D0000-0x00000000002E6000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2384-2-0x0000000004C10000-0x0000000004C50000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2484-35-0x000000006E0A0000-0x000000006E64B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2484-42-0x0000000001C70000-0x0000000001CB0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2484-47-0x000000006E0A0000-0x000000006E64B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2484-39-0x000000006E0A0000-0x000000006E64B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2484-41-0x0000000001C70000-0x0000000001CB0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2484-37-0x0000000001C70000-0x0000000001CB0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2576-36-0x000000006E0A0000-0x000000006E64B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2576-40-0x0000000002660000-0x00000000026A0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2576-48-0x000000006E0A0000-0x000000006E64B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2576-46-0x0000000002660000-0x00000000026A0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2576-43-0x0000000002660000-0x00000000026A0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2576-38-0x000000006E0A0000-0x000000006E64B000-memory.dmp

          Filesize

          5.7MB

          Download