Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2023 06:22
Static task
static1
Behavioral task
behavioral1
Sample
PI.exe
Resource
win7-20231201-en
Behavioral task
behavioral2
Sample
PI.exe
Resource
win10v2004-20231130-en
General
-
Target
PI.exe
-
Size
587KB
-
MD5
7bd84364839005d2ed7244767b8a6b43
-
SHA1
c059a07d693a63f04c683bbfc10c9ff0d48c32dd
-
SHA256
2a8e0ce38c434c439f20c577a430907b303aa67a412d7c8ef22c8c41b4646733
-
SHA512
729a3976b3d281173b6f502f1507636b75e041b067ff26caec659b5fb074619287b30fc5e0e9086bd732b4980808e05b893ae7e41cd8f0dd387a7ee7b82fecc7
-
SSDEEP
12288:+ll5nF8EEmhXTaMWPaGlTZ/VwzamlVJZoouagzQMPW04dqrlbKaw:gllEMDaBZKum7roouagEMO0HhbKaw
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2140-11-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral2/memory/2140-15-0x00000000055E0000-0x00000000055F0000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PI.exedescription pid process target process PID 4952 set thread context of 2140 4952 PI.exe RegSvcs.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 964 2140 WerFault.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
PI.exeRegSvcs.exepid process 4952 PI.exe 4952 PI.exe 4952 PI.exe 4952 PI.exe 2140 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PI.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 4952 PI.exe Token: SeDebugPrivilege 2140 RegSvcs.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
PI.exedescription pid process target process PID 4952 wrote to memory of 3900 4952 PI.exe RegSvcs.exe PID 4952 wrote to memory of 3900 4952 PI.exe RegSvcs.exe PID 4952 wrote to memory of 3900 4952 PI.exe RegSvcs.exe PID 4952 wrote to memory of 1124 4952 PI.exe RegSvcs.exe PID 4952 wrote to memory of 1124 4952 PI.exe RegSvcs.exe PID 4952 wrote to memory of 1124 4952 PI.exe RegSvcs.exe PID 4952 wrote to memory of 2140 4952 PI.exe RegSvcs.exe PID 4952 wrote to memory of 2140 4952 PI.exe RegSvcs.exe PID 4952 wrote to memory of 2140 4952 PI.exe RegSvcs.exe PID 4952 wrote to memory of 2140 4952 PI.exe RegSvcs.exe PID 4952 wrote to memory of 2140 4952 PI.exe RegSvcs.exe PID 4952 wrote to memory of 2140 4952 PI.exe RegSvcs.exe PID 4952 wrote to memory of 2140 4952 PI.exe RegSvcs.exe PID 4952 wrote to memory of 2140 4952 PI.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PI.exe"C:\Users\Admin\AppData\Local\Temp\PI.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:3900
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:1124
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 14083⤵
- Program crash
PID:964
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2140 -ip 21401⤵PID:1228