Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
04-12-2023 17:33
Static task
static1
Behavioral task
behavioral1
Sample
AWB5331810761.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
AWB5331810761.exe
Resource
win10v2004-20231127-en
General
-
Target
AWB5331810761.exe
-
Size
517KB
-
MD5
fa7c160068137a6169be8bcaa00e408c
-
SHA1
8028763154b40c81ae85eb6dbf1dcc7d834b96d3
-
SHA256
dd85a193900788d9b13eabcaa02085cdf8a72cb5d3d4e3444ec1bd741c6721f2
-
SHA512
ae5dc7d46f154eb7db4da0f6a3db098c7cd51e49a8905facb340a76f3b9be335d3d909cd70f1d337da8dfa541c0bf8202cedcb3c3598ff755b1ee64aa6a88e79
-
SSDEEP
12288:Y45+po2MokrGa1hhBJx6/X3lmz3rIcjM6/oJXG:b+pJ+Ka/hBj6/HQJj9/O
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2636-21-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2636-23-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2636-27-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2636-29-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2636-31-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2032-38-0x0000000002510000-0x0000000002550000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
AWB5331810761.exedescription pid process target process PID 3008 set thread context of 2636 3008 AWB5331810761.exe AWB5331810761.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AWB5331810761.exepowershell.exepid process 2636 AWB5331810761.exe 2032 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AWB5331810761.exepowershell.exedescription pid process Token: SeDebugPrivilege 2636 AWB5331810761.exe Token: SeDebugPrivilege 2032 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
AWB5331810761.exedescription pid process target process PID 3008 wrote to memory of 2032 3008 AWB5331810761.exe powershell.exe PID 3008 wrote to memory of 2032 3008 AWB5331810761.exe powershell.exe PID 3008 wrote to memory of 2032 3008 AWB5331810761.exe powershell.exe PID 3008 wrote to memory of 2032 3008 AWB5331810761.exe powershell.exe PID 3008 wrote to memory of 1200 3008 AWB5331810761.exe schtasks.exe PID 3008 wrote to memory of 1200 3008 AWB5331810761.exe schtasks.exe PID 3008 wrote to memory of 1200 3008 AWB5331810761.exe schtasks.exe PID 3008 wrote to memory of 1200 3008 AWB5331810761.exe schtasks.exe PID 3008 wrote to memory of 2636 3008 AWB5331810761.exe AWB5331810761.exe PID 3008 wrote to memory of 2636 3008 AWB5331810761.exe AWB5331810761.exe PID 3008 wrote to memory of 2636 3008 AWB5331810761.exe AWB5331810761.exe PID 3008 wrote to memory of 2636 3008 AWB5331810761.exe AWB5331810761.exe PID 3008 wrote to memory of 2636 3008 AWB5331810761.exe AWB5331810761.exe PID 3008 wrote to memory of 2636 3008 AWB5331810761.exe AWB5331810761.exe PID 3008 wrote to memory of 2636 3008 AWB5331810761.exe AWB5331810761.exe PID 3008 wrote to memory of 2636 3008 AWB5331810761.exe AWB5331810761.exe PID 3008 wrote to memory of 2636 3008 AWB5331810761.exe AWB5331810761.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AWB5331810761.exe"C:\Users\Admin\AppData\Local\Temp\AWB5331810761.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eNITHBbuHQIef.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eNITHBbuHQIef" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2240.tmp"2⤵
- Creates scheduled task(s)
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\AWB5331810761.exe"C:\Users\Admin\AppData\Local\Temp\AWB5331810761.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5647952fc2582de8e819c217a201b4251
SHA1409de7ba5c02d9713af10351de550e853673a8cb
SHA256d99c2c25dc7075a4f53100eeb4863dd8d38c5ad7c3a740a34ca74e0322e5ac55
SHA512988acb6b1635b19764f7fcad3678b79ee2f4deb4b9e35954d8b174b97a43e572a30139f5682b058fc87036e993b7fcbca59aaf6b1aa97ddb7b10ac020acfe881