Overview

overview

10

Static

static

3

SecuriteIn...68.exe

windows7-x64

10

SecuriteIn...68.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2023 13:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe

  • Size

    610KB

  • MD5

    77b7f764bde4a8e21a6e33ad9ef4af4b

  • SHA1

    4980100791fedd970187418ff5d021cdedf0443d

  • SHA256

    53ea1826e53406dcc0d0da1fccff25c5beb9deb6065cf554303aec609209bceb

  • SHA512

    46ec958c0bb054cdd9e98199499d69427df9d15a65908976271a7feba20e7f956c65ce40f9136992a03875d47b9f86c8b5dd089c7a963ba44573dc613221b2c7

  • SSDEEP

    12288:1Gezd7BR6wTsP5/ZFQdnkTyYITpDaFUUybAXnUWmz2f5Dfr:1GezpByvbvkWd

Score
10/10
snakekeyloggercollectionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 7 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1392
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2708
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KwWEti.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2852
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KwWEti" /XML "C:\Users\Admin\AppData\Local\Temp\tmp976F.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3016
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:2608

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp976F.tmp
    Filesize

    1KB

    MD5

    c4b76941d53b24b3d81dad44c2d9fb86

    SHA1

    f7880a6387137f7aed1e4dcd8b0fb4867eeca5d4

    SHA256

    c498c978b7129348c5dcdf600645f9e4c7fe9ac3868f71c247d781932d65f471

    SHA512

    8a776dde1d23b53e8e714af9e4eeb5977a6855457df8132a96390db3f6aecfee5ffe5d0257246c71a97943d4621b04ce418f11ca4676af415816e08093580b73

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QNATBQUO5ICATODPQMSH.temp
    Filesize

    7KB

    MD5

    4fac2d94d32c2fbda2acf3dfa13c9d9b

    SHA1

    d3b42f244a4c870926b4dc1abbbebd36ba827fb7

    SHA256

    afb6630b3cd7b2fb8c60d44d8da06845f8349494a46b696389ebea9d1b41afc8

    SHA512

    6ce0363077d68aec8e7d3be7956bd48fcd4509e816b27fd3c4d87807ce24f287f9539abda6ab32c753e81bf260857bc9af633ecb220e65a3e0dcbd717ec2d5ac

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    4fac2d94d32c2fbda2acf3dfa13c9d9b

    SHA1

    d3b42f244a4c870926b4dc1abbbebd36ba827fb7

    SHA256

    afb6630b3cd7b2fb8c60d44d8da06845f8349494a46b696389ebea9d1b41afc8

    SHA512

    6ce0363077d68aec8e7d3be7956bd48fcd4509e816b27fd3c4d87807ce24f287f9539abda6ab32c753e81bf260857bc9af633ecb220e65a3e0dcbd717ec2d5ac

    Download Submit

  • memory/1392-3-0x00000000004C0000-0x00000000004DA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1392-4-0x00000000003B0000-0x00000000003B8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1392-5-0x00000000003D0000-0x00000000003DA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1392-6-0x0000000002020000-0x0000000002096000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1392-7-0x0000000074340000-0x0000000074A2E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1392-0-0x00000000009B0000-0x0000000000A4E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/1392-2-0x0000000004DB0000-0x0000000004DF0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1392-1-0x0000000074340000-0x0000000074A2E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1392-20-0x0000000004DB0000-0x0000000004DF0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1392-32-0x0000000074340000-0x0000000074A2E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2608-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2608-39-0x0000000004D10000-0x0000000004D50000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2608-24-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2608-22-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2608-27-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2608-29-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2608-31-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2608-21-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2608-33-0x0000000074340000-0x0000000074A2E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2608-46-0x0000000004D10000-0x0000000004D50000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2608-45-0x0000000074340000-0x0000000074A2E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2608-23-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2708-36-0x0000000002230000-0x0000000002270000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2708-37-0x000000006F3E0000-0x000000006F98B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2708-40-0x0000000002230000-0x0000000002270000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2708-42-0x0000000002230000-0x0000000002270000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2708-44-0x000000006F3E0000-0x000000006F98B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2708-35-0x000000006F3E0000-0x000000006F98B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2852-38-0x000000006F3E0000-0x000000006F98B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2852-41-0x00000000025A0000-0x00000000025E0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2852-43-0x000000006F3E0000-0x000000006F98B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2852-34-0x000000006F3E0000-0x000000006F98B000-memory.dmp

    Filesize

    5.7MB

    Download