Analysis
-
max time kernel
127s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2023 14:55
Static task
static1
Behavioral task
behavioral1
Sample
cargo details.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
cargo details.exe
Resource
win10v2004-20231020-en
General
-
Target
cargo details.exe
-
Size
356KB
-
MD5
c6e93bb1fe3776c6fab7c4dbf5ad9aa7
-
SHA1
9c8101b401864743b197029a2ceb97dcb4dc8a27
-
SHA256
2c5edc6480fe0c2912dd55fcd4d63c494e425c7466ce5655e1ebc076a0d8d389
-
SHA512
8f4e99d17ba28e12df64be1a25c8c0c30bc52cee79b1952b813a6d4c264fcf14e96ba7c430a2f4724d7081cf827bd5dcf319ffdf01096c91ad63ce35802fdaf5
-
SSDEEP
6144:KGml3pBvuZ3UAwhUWsnC93yYkBxG8Vm5Lmv/tXGAunkc8sUnerSXE:KGml5B2BUJACxyvBxnHv/t2Ask3ng
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/212-8-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
cargo details.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 cargo details.exe Key opened \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 cargo details.exe Key opened \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 cargo details.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cargo details.exedescription pid process target process PID 1864 set thread context of 212 1864 cargo details.exe cargo details.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
cargo details.exepid process 212 cargo details.exe 212 cargo details.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
cargo details.exedescription pid process Token: SeDebugPrivilege 212 cargo details.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cargo details.exedescription pid process target process PID 1864 wrote to memory of 212 1864 cargo details.exe cargo details.exe PID 1864 wrote to memory of 212 1864 cargo details.exe cargo details.exe PID 1864 wrote to memory of 212 1864 cargo details.exe cargo details.exe PID 1864 wrote to memory of 212 1864 cargo details.exe cargo details.exe PID 1864 wrote to memory of 212 1864 cargo details.exe cargo details.exe PID 1864 wrote to memory of 212 1864 cargo details.exe cargo details.exe PID 1864 wrote to memory of 212 1864 cargo details.exe cargo details.exe PID 1864 wrote to memory of 212 1864 cargo details.exe cargo details.exe -
outlook_office_path 1 IoCs
Processes:
cargo details.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 cargo details.exe -
outlook_win_path 1 IoCs
Processes:
cargo details.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 cargo details.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cargo details.exe"C:\Users\Admin\AppData\Local\Temp\cargo details.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Users\Admin\AppData\Local\Temp\cargo details.exe"C:\Users\Admin\AppData\Local\Temp\cargo details.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:212
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706B
MD5f8bcaf312de8591707436c1dcebba8e4
SHA1a1269828e5f644601622f4a7a611aec8f2eda0b2
SHA256f0f5a90777c70cdceea22bd66b33c1703a318acc45cb012d0b01585a1ac12b29
SHA5123a714f5950584abbc94a27bbd4623bfc5acb1135c8c9fca4d74e70c8481b71ace7dbc1dfbf101dd07c76a050acfb4852f31dd57fc7ae196382336c5edc9e6413