snakekeylogger | 9faa00d302e72c01005093ba1f4338153747d2f6564922313fb720df0afb7fbe

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2023 06:22

Target

PI.exe
Size

587KB
MD5

7bd84364839005d2ed7244767b8a6b43
SHA1

c059a07d693a63f04c683bbfc10c9ff0d48c32dd
SHA256

2a8e0ce38c434c439f20c577a430907b303aa67a412d7c8ef22c8c41b4646733
SHA512

729a3976b3d281173b6f502f1507636b75e041b067ff26caec659b5fb074619287b30fc5e0e9086bd732b4980808e05b893ae7e41cd8f0dd387a7ee7b82fecc7
SSDEEP

12288:+ll5nF8EEmhXTaMWPaGlTZ/VwzamlVJZoouagzQMPW04dqrlbKaw:gllEMDaBZKum7roouagEMO0HhbKaw

Score

10^/10

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2140-11-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral2/memory/2140-15-0x00000000055E0000-0x00000000055F0000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

PI.exe

description pid process target process

PID 4952 set thread context of 2140 4952 PI.exe RegSvcs.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

964 2140 WerFault.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

PI.exeRegSvcs.exe

pid process

4952 PI.exe
4952 PI.exe
4952 PI.exe
4952 PI.exe
2140 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PI.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 4952 PI.exe
Token: SeDebugPrivilege 2140 RegSvcs.exe

flow	ioc
5	checkip.dyndns.org

description	pid	process	target process
PID 4952 set thread context of 2140	4952	PI.exe	RegSvcs.exe

pid	pid_target	process	target process
964	2140	WerFault.exe	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	4952	PI.exe
Token: SeDebugPrivilege	2140	RegSvcs.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

PI.exe

description	pid	process	target process
PID 4952 wrote to memory of 3900	4952	PI.exe	RegSvcs.exe
PID 4952 wrote to memory of 3900	4952	PI.exe	RegSvcs.exe
PID 4952 wrote to memory of 3900	4952	PI.exe	RegSvcs.exe
PID 4952 wrote to memory of 1124	4952	PI.exe	RegSvcs.exe
PID 4952 wrote to memory of 1124	4952	PI.exe	RegSvcs.exe
PID 4952 wrote to memory of 1124	4952	PI.exe	RegSvcs.exe
PID 4952 wrote to memory of 2140	4952	PI.exe	RegSvcs.exe
PID 4952 wrote to memory of 2140	4952	PI.exe	RegSvcs.exe
PID 4952 wrote to memory of 2140	4952	PI.exe	RegSvcs.exe
PID 4952 wrote to memory of 2140	4952	PI.exe	RegSvcs.exe
PID 4952 wrote to memory of 2140	4952	PI.exe	RegSvcs.exe
PID 4952 wrote to memory of 2140	4952	PI.exe	RegSvcs.exe
PID 4952 wrote to memory of 2140	4952	PI.exe	RegSvcs.exe
PID 4952 wrote to memory of 2140	4952	PI.exe	RegSvcs.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:3900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:1124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 1408
3⤵
- Program crash
PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2140 -ip 2140
1⤵
PID:1228

memory/2140-11-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2140-16-0x0000000075120000-0x00000000758D0000-memory.dmp

Filesize
7.7MB

Download
memory/2140-15-0x00000000055E0000-0x00000000055F0000-memory.dmp

Filesize
64KB

Download
memory/2140-14-0x0000000075120000-0x00000000758D0000-memory.dmp

Filesize
7.7MB

Download
memory/4952-8-0x00000000068E0000-0x00000000068EA000-memory.dmp

Filesize
40KB

Download
memory/4952-5-0x00000000052F0000-0x00000000052FA000-memory.dmp

Filesize
40KB

Download
memory/4952-6-0x00000000053B0000-0x00000000053C8000-memory.dmp

Filesize
96KB

Download
memory/4952-7-0x00000000068D0000-0x00000000068D8000-memory.dmp

Filesize
32KB

Download
memory/4952-0-0x0000000000810000-0x00000000008A8000-memory.dmp

Filesize
608KB

Download
memory/4952-9-0x0000000006B50000-0x0000000006BB0000-memory.dmp

Filesize
384KB

Download
memory/4952-10-0x00000000069A0000-0x0000000006A3C000-memory.dmp

Filesize
624KB

Download
memory/4952-4-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/4952-13-0x0000000075120000-0x00000000758D0000-memory.dmp

Filesize
7.7MB

Download
memory/4952-3-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/4952-2-0x0000000005630000-0x0000000005BD4000-memory.dmp

Filesize
5.6MB

Download
memory/4952-1-0x0000000075120000-0x00000000758D0000-memory.dmp

Filesize
7.7MB

Download