Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2023 11:09
Static task
static1
Behavioral task
behavioral1
Sample
Contract.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
Contract.exe
Resource
win10v2004-20231020-en
General
-
Target
Contract.exe
-
Size
635KB
-
MD5
dd93d84341928fb925e5446b3795cae2
-
SHA1
60b1c23aa28efb711fce60e82a389635e5e6bbc8
-
SHA256
fe2ed4220640da4d6e2e1e89e4a0dcc0bb67aaa2905b22276fc8a31ed65ea9e3
-
SHA512
dfdb35755c63180819f38a0693d6d6bcfc564c8448d15be135f84bd7e7f364d3fe7169bb28e07f0e40fe92f9094ccf2c63bc27768ecf001380922fcb23595987
-
SSDEEP
12288:pzeMMXRqdK/hWGJG/klXwWFynxWh7OPY6ilWG1gjd7BR6wT:pzeMSREydw/asAhGe/opB
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.mct2.co.za - Port:
587 - Username:
[email protected] - Password:
00000
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2992-12-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Contract.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Contract.exe Key opened \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Contract.exe Key opened \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Contract.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 17 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Contract.exedescription pid process target process PID 740 set thread context of 2992 740 Contract.exe Contract.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Contract.exepid process 2992 Contract.exe 2992 Contract.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Contract.exedescription pid process Token: SeDebugPrivilege 2992 Contract.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Contract.exedescription pid process target process PID 740 wrote to memory of 2992 740 Contract.exe Contract.exe PID 740 wrote to memory of 2992 740 Contract.exe Contract.exe PID 740 wrote to memory of 2992 740 Contract.exe Contract.exe PID 740 wrote to memory of 2992 740 Contract.exe Contract.exe PID 740 wrote to memory of 2992 740 Contract.exe Contract.exe PID 740 wrote to memory of 2992 740 Contract.exe Contract.exe PID 740 wrote to memory of 2992 740 Contract.exe Contract.exe PID 740 wrote to memory of 2992 740 Contract.exe Contract.exe -
outlook_office_path 1 IoCs
Processes:
Contract.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Contract.exe -
outlook_win_path 1 IoCs
Processes:
Contract.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Contract.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Contract.exe"C:\Users\Admin\AppData\Local\Temp\Contract.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Users\Admin\AppData\Local\Temp\Contract.exe"C:\Users\Admin\AppData\Local\Temp\Contract.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2992
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58cb8dbbb019a535fe00246c7afdb4270
SHA17d4fd9f302e4fc68a6fc3f95f0513c471ebfbb50
SHA2562c4f3f1d603c33e8410ce061380ec7a1772db21bdc4b01d3ca4067500a391f86
SHA512abc0cc34903b4d91f9f48ced799ee8019dcaa52f852e2b33cab42e92c3fd80a4ff2c71c12734836288c26165a77daa60badb6f0cc45ee8b6e1b431d3b1952a44