Analysis
-
max time kernel
119s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
27-11-2023 13:18
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe
Resource
win10v2004-20231020-en
General
-
Target
SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe
-
Size
610KB
-
MD5
77b7f764bde4a8e21a6e33ad9ef4af4b
-
SHA1
4980100791fedd970187418ff5d021cdedf0443d
-
SHA256
53ea1826e53406dcc0d0da1fccff25c5beb9deb6065cf554303aec609209bceb
-
SHA512
46ec958c0bb054cdd9e98199499d69427df9d15a65908976271a7feba20e7f956c65ce40f9136992a03875d47b9f86c8b5dd089c7a963ba44573dc613221b2c7
-
SSDEEP
12288:1Gezd7BR6wTsP5/ZFQdnkTyYITpDaFUUybAXnUWmz2f5Dfr:1GezpByvbvkWd
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.belt-tech.com.my - Port:
587 - Username:
[email protected] - Password:
Beltechpg@1234 - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/2608-23-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2608-24-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2608-27-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2608-29-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2608-31-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2708-36-0x0000000002230000-0x0000000002270000-memory.dmp family_snakekeylogger behavioral1/memory/2608-39-0x0000000004D10000-0x0000000004D50000-memory.dmp family_snakekeylogger -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe Key opened \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe Key opened \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exedescription pid process target process PID 1392 set thread context of 2608 1392 SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exeSecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exepowershell.exepowershell.exepid process 1392 SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe 1392 SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe 1392 SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe 1392 SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe 1392 SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe 2608 SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe 2708 powershell.exe 2852 powershell.exe 2608 SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exeSecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1392 SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe Token: SeDebugPrivilege 2608 SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe Token: SeDebugPrivilege 2708 powershell.exe Token: SeDebugPrivilege 2852 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exedescription pid process target process PID 1392 wrote to memory of 2708 1392 SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe powershell.exe PID 1392 wrote to memory of 2708 1392 SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe powershell.exe PID 1392 wrote to memory of 2708 1392 SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe powershell.exe PID 1392 wrote to memory of 2708 1392 SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe powershell.exe PID 1392 wrote to memory of 2852 1392 SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe powershell.exe PID 1392 wrote to memory of 2852 1392 SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe powershell.exe PID 1392 wrote to memory of 2852 1392 SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe powershell.exe PID 1392 wrote to memory of 2852 1392 SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe powershell.exe PID 1392 wrote to memory of 3016 1392 SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe schtasks.exe PID 1392 wrote to memory of 3016 1392 SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe schtasks.exe PID 1392 wrote to memory of 3016 1392 SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe schtasks.exe PID 1392 wrote to memory of 3016 1392 SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe schtasks.exe PID 1392 wrote to memory of 2608 1392 SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe PID 1392 wrote to memory of 2608 1392 SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe PID 1392 wrote to memory of 2608 1392 SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe PID 1392 wrote to memory of 2608 1392 SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe PID 1392 wrote to memory of 2608 1392 SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe PID 1392 wrote to memory of 2608 1392 SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe PID 1392 wrote to memory of 2608 1392 SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe PID 1392 wrote to memory of 2608 1392 SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe PID 1392 wrote to memory of 2608 1392 SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe -
outlook_office_path 1 IoCs
Processes:
SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe -
outlook_win_path 1 IoCs
Processes:
SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KwWEti.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2852 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KwWEti" /XML "C:\Users\Admin\AppData\Local\Temp\tmp976F.tmp"2⤵
- Creates scheduled task(s)
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.14269.8068.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2608
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c4b76941d53b24b3d81dad44c2d9fb86
SHA1f7880a6387137f7aed1e4dcd8b0fb4867eeca5d4
SHA256c498c978b7129348c5dcdf600645f9e4c7fe9ac3868f71c247d781932d65f471
SHA5128a776dde1d23b53e8e714af9e4eeb5977a6855457df8132a96390db3f6aecfee5ffe5d0257246c71a97943d4621b04ce418f11ca4676af415816e08093580b73
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QNATBQUO5ICATODPQMSH.temp
Filesize7KB
MD54fac2d94d32c2fbda2acf3dfa13c9d9b
SHA1d3b42f244a4c870926b4dc1abbbebd36ba827fb7
SHA256afb6630b3cd7b2fb8c60d44d8da06845f8349494a46b696389ebea9d1b41afc8
SHA5126ce0363077d68aec8e7d3be7956bd48fcd4509e816b27fd3c4d87807ce24f287f9539abda6ab32c753e81bf260857bc9af633ecb220e65a3e0dcbd717ec2d5ac
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD54fac2d94d32c2fbda2acf3dfa13c9d9b
SHA1d3b42f244a4c870926b4dc1abbbebd36ba827fb7
SHA256afb6630b3cd7b2fb8c60d44d8da06845f8349494a46b696389ebea9d1b41afc8
SHA5126ce0363077d68aec8e7d3be7956bd48fcd4509e816b27fd3c4d87807ce24f287f9539abda6ab32c753e81bf260857bc9af633ecb220e65a3e0dcbd717ec2d5ac