Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
02-12-2023 09:37
Static task
static1
Behavioral task
behavioral1
Sample
1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe
Resource
win10v2004-20231130-en
General
-
Target
1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe
-
Size
609KB
-
MD5
fe03b712d2e463fdeb67f9f9f2d98fc9
-
SHA1
d978aed329e47d47791e13f31fc4aa823e545f89
-
SHA256
1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd
-
SHA512
170ca520c7a9489f8245ae18fb3fa5aa7bc1441d183daa4f72e34a3bbbd393ca46427c25a3809fd805c19348eebf880f1b51c4c147b0ddeac8f1aad02fcd3a03
-
SSDEEP
12288:hMdIt/5J/tXcPl1RWLDmJr4YoKnE5ZrZ4YIfjwIF7:iWBJZ0lSuEbT5ZrlI7ws7
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2680-18-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2680-19-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2680-22-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2680-24-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2680-27-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2920-29-0x00000000026B0000-0x00000000026F0000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exedescription pid process target process PID 2792 set thread context of 2680 2792 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2492 2680 WerFault.exe 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exepowershell.exepid process 2680 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe 2920 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exepowershell.exedescription pid process Token: SeDebugPrivilege 2680 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe Token: SeDebugPrivilege 2920 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exedescription pid process target process PID 2792 wrote to memory of 2920 2792 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe powershell.exe PID 2792 wrote to memory of 2920 2792 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe powershell.exe PID 2792 wrote to memory of 2920 2792 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe powershell.exe PID 2792 wrote to memory of 2920 2792 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe powershell.exe PID 2792 wrote to memory of 1884 2792 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe schtasks.exe PID 2792 wrote to memory of 1884 2792 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe schtasks.exe PID 2792 wrote to memory of 1884 2792 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe schtasks.exe PID 2792 wrote to memory of 1884 2792 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe schtasks.exe PID 2792 wrote to memory of 2680 2792 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe PID 2792 wrote to memory of 2680 2792 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe PID 2792 wrote to memory of 2680 2792 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe PID 2792 wrote to memory of 2680 2792 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe PID 2792 wrote to memory of 2680 2792 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe PID 2792 wrote to memory of 2680 2792 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe PID 2792 wrote to memory of 2680 2792 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe PID 2792 wrote to memory of 2680 2792 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe PID 2792 wrote to memory of 2680 2792 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe PID 2680 wrote to memory of 2492 2680 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe WerFault.exe PID 2680 wrote to memory of 2492 2680 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe WerFault.exe PID 2680 wrote to memory of 2492 2680 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe WerFault.exe PID 2680 wrote to memory of 2492 2680 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe"C:\Users\Admin\AppData\Local\Temp\1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DTeVcECl.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DTeVcECl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp70FB.tmp"2⤵
- Creates scheduled task(s)
PID:1884 -
C:\Users\Admin\AppData\Local\Temp\1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe"C:\Users\Admin\AppData\Local\Temp\1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 10803⤵
- Program crash
PID:2492
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD504db7aadb4725455c541a2f7e7b1dc31
SHA18f417008a5fa627b1f689e6c8b8dffe383768084
SHA2569dbe00592a25385949d3e2994252973d8ea71aae64be6e2ac8073b1eb4c3109c
SHA512a7c19df6bbcacac70cea9c9d9cc6cf8e7355660b06814c012e9c9b0dca753329ef7aabbf44f6c8f052b3eb7c15dad9878e76e32660bc7173a424ad6527835238