Analysis
-
max time kernel
150s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2023 18:13
Static task
static1
Behavioral task
behavioral1
Sample
73db5847e79cecadd08090f46147223f.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
73db5847e79cecadd08090f46147223f.exe
Resource
win10v2004-20231215-en
General
-
Target
73db5847e79cecadd08090f46147223f.exe
-
Size
1.2MB
-
MD5
73db5847e79cecadd08090f46147223f
-
SHA1
4605b0ec88569216858cb4c04a4fde80cf943354
-
SHA256
d75208f6e002bf7dcc1319971897886f0e6846d078adb97437953087311b1baf
-
SHA512
d4c2dc989069bb67b136f50d3740d9bc4554da40e212657877f022643a8eea6843ad7cb7cfe72116a66be7d55e0f9f03341b6934f0793aaa207dade660a58e60
-
SSDEEP
24576:BQ7JV/KtSZRsMeaXkscQ5uLHnNGjqWya5b9JkvwJ:OVxcQ5uvWya5bQg
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.pishroparsian.com - Port:
587 - Username:
[email protected] - Password:
Hassan@khani2 - Email To:
[email protected]
https://api.telegram.org/bot1328029504:AAGKFzQ1tJdWqJzQg7lW0DK-JgG0_8hFEEk/sendMessage?chat_id=1072388187
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2468-16-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
73db5847e79cecadd08090f46147223f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 73db5847e79cecadd08090f46147223f.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 58 checkip.dyndns.org 61 freegeoip.app 62 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
73db5847e79cecadd08090f46147223f.exedescription pid process target process PID 5020 set thread context of 2468 5020 73db5847e79cecadd08090f46147223f.exe 73db5847e79cecadd08090f46147223f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4612 2468 WerFault.exe 73db5847e79cecadd08090f46147223f.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
73db5847e79cecadd08090f46147223f.exe73db5847e79cecadd08090f46147223f.exepid process 5020 73db5847e79cecadd08090f46147223f.exe 2468 73db5847e79cecadd08090f46147223f.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
73db5847e79cecadd08090f46147223f.exe73db5847e79cecadd08090f46147223f.exedescription pid process Token: SeDebugPrivilege 5020 73db5847e79cecadd08090f46147223f.exe Token: SeDebugPrivilege 2468 73db5847e79cecadd08090f46147223f.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
73db5847e79cecadd08090f46147223f.exedescription pid process target process PID 5020 wrote to memory of 3432 5020 73db5847e79cecadd08090f46147223f.exe schtasks.exe PID 5020 wrote to memory of 3432 5020 73db5847e79cecadd08090f46147223f.exe schtasks.exe PID 5020 wrote to memory of 3432 5020 73db5847e79cecadd08090f46147223f.exe schtasks.exe PID 5020 wrote to memory of 2468 5020 73db5847e79cecadd08090f46147223f.exe 73db5847e79cecadd08090f46147223f.exe PID 5020 wrote to memory of 2468 5020 73db5847e79cecadd08090f46147223f.exe 73db5847e79cecadd08090f46147223f.exe PID 5020 wrote to memory of 2468 5020 73db5847e79cecadd08090f46147223f.exe 73db5847e79cecadd08090f46147223f.exe PID 5020 wrote to memory of 2468 5020 73db5847e79cecadd08090f46147223f.exe 73db5847e79cecadd08090f46147223f.exe PID 5020 wrote to memory of 2468 5020 73db5847e79cecadd08090f46147223f.exe 73db5847e79cecadd08090f46147223f.exe PID 5020 wrote to memory of 2468 5020 73db5847e79cecadd08090f46147223f.exe 73db5847e79cecadd08090f46147223f.exe PID 5020 wrote to memory of 2468 5020 73db5847e79cecadd08090f46147223f.exe 73db5847e79cecadd08090f46147223f.exe PID 5020 wrote to memory of 2468 5020 73db5847e79cecadd08090f46147223f.exe 73db5847e79cecadd08090f46147223f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\73db5847e79cecadd08090f46147223f.exe"C:\Users\Admin\AppData\Local\Temp\73db5847e79cecadd08090f46147223f.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ciNuRUsmpum" /XML "C:\Users\Admin\AppData\Local\Temp\tmp21D6.tmp"2⤵
- Creates scheduled task(s)
PID:3432 -
C:\Users\Admin\AppData\Local\Temp\73db5847e79cecadd08090f46147223f.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 17723⤵
- Program crash
PID:4612
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2468 -ip 24681⤵PID:1580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a241358dcb540e75b69ccaacd65e82e0
SHA1cf5abe6458e145c67c234864cdf20aaa3c3abf9e
SHA2566e1d6a45ca7a179a1792e9fff6433636ecb2e43264c7c9f95ee6241253fdbc95
SHA512a4009e1b6bccc35771678cfa38a29a729b847e7da9d65a1ad4f18573a02562eb74aafaf12b42cc4f09c4dea4a3868a4569cc7e835b3b14ba1adee4fa82e899a9