Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 06:11
Static task
static1
Behavioral task
behavioral1
Sample
Price List 3428865.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Price List 3428865.exe
Resource
win10v2004-20231130-en
General
-
Target
Price List 3428865.exe
-
Size
587KB
-
MD5
41cbfe9a9cbbbbf6f986bfb6e360e119
-
SHA1
a7715d74a5bc11dd4f75d96e206ec7f38b43fb76
-
SHA256
c3c328f277cdb667eda6592126db6e7290f46ae37fc5f84d836e42e325612ab3
-
SHA512
88aff934e95f7f178c0275370ea5d96b33ae6fc6041ed428c7c10d247f36f28afe7cddff4cb5dba0d910542cec9e5bd39ee1eca1edccf1d59c0d5e74b77ade04
-
SSDEEP
12288:3l5nF80Vdqrlbrr48/HfOPYVTJJkXa0Me6r7jBLdMiVxr:3lVqhbrrXHfsQkK0t8pLdMibr
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1032-11-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1032-12-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1032-15-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1032-17-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1032-19-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Price List 3428865.exedescription pid process target process PID 2336 set thread context of 1032 2336 Price List 3428865.exe RegSvcs.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1640 1032 WerFault.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
RegSvcs.exepid process 1032 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 1032 RegSvcs.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Price List 3428865.exeRegSvcs.exedescription pid process target process PID 2336 wrote to memory of 1032 2336 Price List 3428865.exe RegSvcs.exe PID 2336 wrote to memory of 1032 2336 Price List 3428865.exe RegSvcs.exe PID 2336 wrote to memory of 1032 2336 Price List 3428865.exe RegSvcs.exe PID 2336 wrote to memory of 1032 2336 Price List 3428865.exe RegSvcs.exe PID 2336 wrote to memory of 1032 2336 Price List 3428865.exe RegSvcs.exe PID 2336 wrote to memory of 1032 2336 Price List 3428865.exe RegSvcs.exe PID 2336 wrote to memory of 1032 2336 Price List 3428865.exe RegSvcs.exe PID 2336 wrote to memory of 1032 2336 Price List 3428865.exe RegSvcs.exe PID 2336 wrote to memory of 1032 2336 Price List 3428865.exe RegSvcs.exe PID 2336 wrote to memory of 1032 2336 Price List 3428865.exe RegSvcs.exe PID 2336 wrote to memory of 1032 2336 Price List 3428865.exe RegSvcs.exe PID 2336 wrote to memory of 1032 2336 Price List 3428865.exe RegSvcs.exe PID 1032 wrote to memory of 1640 1032 RegSvcs.exe WerFault.exe PID 1032 wrote to memory of 1640 1032 RegSvcs.exe WerFault.exe PID 1032 wrote to memory of 1640 1032 RegSvcs.exe WerFault.exe PID 1032 wrote to memory of 1640 1032 RegSvcs.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Price List 3428865.exe"C:\Users\Admin\AppData\Local\Temp\Price List 3428865.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 10483⤵
- Program crash
PID:1640