Analysis
-
max time kernel
27s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2023 10:38
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.1d7069432d20883d8bf613e91d3a78de608bb7e7fa2b6daf1252e5da9a717ba2.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.1d7069432d20883d8bf613e91d3a78de608bb7e7fa2b6daf1252e5da9a717ba2.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.1d7069432d20883d8bf613e91d3a78de608bb7e7fa2b6daf1252e5da9a717ba2.exe
-
Size
628KB
-
MD5
7eec1e611d996a5f2792c9778da882bc
-
SHA1
90b7ad77edd7e61499d8e0160490bce4c9366934
-
SHA256
1d7069432d20883d8bf613e91d3a78de608bb7e7fa2b6daf1252e5da9a717ba2
-
SHA512
3bcb54831392b6b6c0c976f4c9940590e0095d14859d02a639a0908ef131039d323f5601a142196c47e6d43f473f3fd8999b47c79f247380660e1eb413b91bea
-
SSDEEP
12288:QWOTNXc3hEunBAFnSuBVZ60SwMPAF98gb8X+SHucpVHGH:332uBqSu9FHMPAF76+SLVHG
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.alupanorama.com.my - Port:
587 - Username:
[email protected] - Password:
t9&KsFB5dPgV - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4952-26-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 37 checkip.dyndns.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
NEAS.1d7069432d20883d8bf613e91d3a78de608bb7e7fa2b6daf1252e5da9a717ba2.exepid process 1372 NEAS.1d7069432d20883d8bf613e91d3a78de608bb7e7fa2b6daf1252e5da9a717ba2.exe 1372 NEAS.1d7069432d20883d8bf613e91d3a78de608bb7e7fa2b6daf1252e5da9a717ba2.exe 1372 NEAS.1d7069432d20883d8bf613e91d3a78de608bb7e7fa2b6daf1252e5da9a717ba2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
NEAS.1d7069432d20883d8bf613e91d3a78de608bb7e7fa2b6daf1252e5da9a717ba2.exedescription pid process Token: SeDebugPrivilege 1372 NEAS.1d7069432d20883d8bf613e91d3a78de608bb7e7fa2b6daf1252e5da9a717ba2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.1d7069432d20883d8bf613e91d3a78de608bb7e7fa2b6daf1252e5da9a717ba2.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.1d7069432d20883d8bf613e91d3a78de608bb7e7fa2b6daf1252e5da9a717ba2.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1372 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\NEAS.1d7069432d20883d8bf613e91d3a78de608bb7e7fa2b6daf1252e5da9a717ba2.exe"2⤵PID:1784
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PjzCeIhiuryZzE.exe"2⤵PID:2340
-
C:\Users\Admin\AppData\Local\Temp\NEAS.1d7069432d20883d8bf613e91d3a78de608bb7e7fa2b6daf1252e5da9a717ba2.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.1d7069432d20883d8bf613e91d3a78de608bb7e7fa2b6daf1252e5da9a717ba2.exe"2⤵PID:4952
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PjzCeIhiuryZzE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF770.tmp"2⤵
- Creates scheduled task(s)
PID:3228
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD5dfa0b1b10666df1a584746fd8a2f4ceb
SHA18fd40c2f6403df2e6e3dbddc4affecaf0e657cd6
SHA25689e5fdb0fa65b20bd9eb116e92f30de7069fecd5b6a52fc5edb04bfa3dd87d39
SHA512e91e629a0beeaefe1622d6b111d6c618c2e5a02e10c6ef21bf76283ddce7a2e9753f2520a91013bd3dfd6f0a1d4bc9651901ba553d765f80fd8f960451dedfb5
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD50dfb0484ca4f06021f68cd184fa4e7f4
SHA170bfa3e8db95354826603d84ad6958b7029b7082
SHA25683a36d18f77f89837dcdac76cad20cb37a50ba44f1f3ccb00e44ea6e29e26258
SHA512d46bddc6827faab06ff67edd69f51113ff6a451afeccc383dc7cba93b1b8d8a0c60b8224d6f47468c95779ff1c0da1add778050edfa7ea8039d2a08f449da15d