Analysis
-
max time kernel
148s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2023 03:50
Static task
static1
Behavioral task
behavioral1
Sample
03e0c87acbd555226e4510cb8e5034f5.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
03e0c87acbd555226e4510cb8e5034f5.exe
Resource
win10v2004-20231215-en
General
-
Target
03e0c87acbd555226e4510cb8e5034f5.exe
-
Size
1.5MB
-
MD5
03e0c87acbd555226e4510cb8e5034f5
-
SHA1
7cae7eb46c366fe9a9f72fadb91abe7386fd4d00
-
SHA256
d0ff1050e74986eb30da03e8de2b8d6d9300836849615521c40520def4916473
-
SHA512
0938dbe7d04914ab5888061e56065688acc3d0120f88e981a8f0639d994866d88643e84a41cf109347e2344c3dbc2baa5bcdd15f467f5048e77317f102306a20
-
SSDEEP
24576:1yhXW5oaXpcB7mVSaccPuvcd5OGQT/1/0nS+7n4SYwqK4zf3RTsAHWAgqChJ+huR:o0iecHCNvP8EOShNQuiNB/e
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.manavgatgida.com - Port:
587 - Username:
[email protected] - Password:
shaco1234, - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4656-47-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
03e0c87acbd555226e4510cb8e5034f5.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions 03e0c87acbd555226e4510cb8e5034f5.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
03e0c87acbd555226e4510cb8e5034f5.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools 03e0c87acbd555226e4510cb8e5034f5.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
03e0c87acbd555226e4510cb8e5034f5.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 03e0c87acbd555226e4510cb8e5034f5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 03e0c87acbd555226e4510cb8e5034f5.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
03e0c87acbd555226e4510cb8e5034f5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation 03e0c87acbd555226e4510cb8e5034f5.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 138 freegeoip.app 139 freegeoip.app 136 checkip.dyndns.org -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
03e0c87acbd555226e4510cb8e5034f5.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 03e0c87acbd555226e4510cb8e5034f5.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 03e0c87acbd555226e4510cb8e5034f5.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
03e0c87acbd555226e4510cb8e5034f5.exedescription pid process target process PID 3492 set thread context of 4656 3492 03e0c87acbd555226e4510cb8e5034f5.exe 03e0c87acbd555226e4510cb8e5034f5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1680 4656 WerFault.exe 03e0c87acbd555226e4510cb8e5034f5.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
powershell.exepowershell.exe03e0c87acbd555226e4510cb8e5034f5.exepowershell.exepid process 376 powershell.exe 376 powershell.exe 2732 powershell.exe 2732 powershell.exe 4656 03e0c87acbd555226e4510cb8e5034f5.exe 4656 03e0c87acbd555226e4510cb8e5034f5.exe 376 powershell.exe 4504 powershell.exe 4504 powershell.exe 2732 powershell.exe 4504 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
03e0c87acbd555226e4510cb8e5034f5.exepowershell.exepowershell.exe03e0c87acbd555226e4510cb8e5034f5.exepowershell.exedescription pid process Token: SeDebugPrivilege 3492 03e0c87acbd555226e4510cb8e5034f5.exe Token: SeDebugPrivilege 376 powershell.exe Token: SeDebugPrivilege 2732 powershell.exe Token: SeDebugPrivilege 4656 03e0c87acbd555226e4510cb8e5034f5.exe Token: SeDebugPrivilege 4504 powershell.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
03e0c87acbd555226e4510cb8e5034f5.exedescription pid process target process PID 3492 wrote to memory of 376 3492 03e0c87acbd555226e4510cb8e5034f5.exe powershell.exe PID 3492 wrote to memory of 376 3492 03e0c87acbd555226e4510cb8e5034f5.exe powershell.exe PID 3492 wrote to memory of 376 3492 03e0c87acbd555226e4510cb8e5034f5.exe powershell.exe PID 3492 wrote to memory of 2732 3492 03e0c87acbd555226e4510cb8e5034f5.exe powershell.exe PID 3492 wrote to memory of 2732 3492 03e0c87acbd555226e4510cb8e5034f5.exe powershell.exe PID 3492 wrote to memory of 2732 3492 03e0c87acbd555226e4510cb8e5034f5.exe powershell.exe PID 3492 wrote to memory of 4964 3492 03e0c87acbd555226e4510cb8e5034f5.exe schtasks.exe PID 3492 wrote to memory of 4964 3492 03e0c87acbd555226e4510cb8e5034f5.exe schtasks.exe PID 3492 wrote to memory of 4964 3492 03e0c87acbd555226e4510cb8e5034f5.exe schtasks.exe PID 3492 wrote to memory of 4504 3492 03e0c87acbd555226e4510cb8e5034f5.exe powershell.exe PID 3492 wrote to memory of 4504 3492 03e0c87acbd555226e4510cb8e5034f5.exe powershell.exe PID 3492 wrote to memory of 4504 3492 03e0c87acbd555226e4510cb8e5034f5.exe powershell.exe PID 3492 wrote to memory of 4656 3492 03e0c87acbd555226e4510cb8e5034f5.exe 03e0c87acbd555226e4510cb8e5034f5.exe PID 3492 wrote to memory of 4656 3492 03e0c87acbd555226e4510cb8e5034f5.exe 03e0c87acbd555226e4510cb8e5034f5.exe PID 3492 wrote to memory of 4656 3492 03e0c87acbd555226e4510cb8e5034f5.exe 03e0c87acbd555226e4510cb8e5034f5.exe PID 3492 wrote to memory of 4656 3492 03e0c87acbd555226e4510cb8e5034f5.exe 03e0c87acbd555226e4510cb8e5034f5.exe PID 3492 wrote to memory of 4656 3492 03e0c87acbd555226e4510cb8e5034f5.exe 03e0c87acbd555226e4510cb8e5034f5.exe PID 3492 wrote to memory of 4656 3492 03e0c87acbd555226e4510cb8e5034f5.exe 03e0c87acbd555226e4510cb8e5034f5.exe PID 3492 wrote to memory of 4656 3492 03e0c87acbd555226e4510cb8e5034f5.exe 03e0c87acbd555226e4510cb8e5034f5.exe PID 3492 wrote to memory of 4656 3492 03e0c87acbd555226e4510cb8e5034f5.exe 03e0c87acbd555226e4510cb8e5034f5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\03e0c87acbd555226e4510cb8e5034f5.exe"C:\Users\Admin\AppData\Local\Temp\03e0c87acbd555226e4510cb8e5034f5.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\03e0c87acbd555226e4510cb8e5034f5.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:376 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JDuIzwmQvpoe.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JDuIzwmQvpoe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp640.tmp"2⤵
- Creates scheduled task(s)
PID:4964 -
C:\Users\Admin\AppData\Local\Temp\03e0c87acbd555226e4510cb8e5034f5.exe"C:\Users\Admin\AppData\Local\Temp\03e0c87acbd555226e4510cb8e5034f5.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4656 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 18123⤵
- Program crash
PID:1680 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JDuIzwmQvpoe.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4504
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4656 -ip 46561⤵PID:4748
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD511805ece939b6b15ce1c2f3f917ec1dc
SHA1bcf510412ddeacd73041b250503e7ec61fd69d1a
SHA256055eaa09ed2660f99721ca6c9011d0a25fdf75ddd06282b6d9aaff1bb2f44be6
SHA5122042de76df9fd72589093dc7ba9e2d45b8c74fdbcdf94ac71122538046057710cdc4b967998b52d160e1a11959a6e1225a22c7f9737ab1b90d97b0f35c6a54a0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5afd356ff176eb3a6598d31eeeea79083
SHA1c17154f71313859b6e5ddd55b8c6e0e398dffad2
SHA256a12570c9c634d5787d97e9b1c201b0c6d2fbd201f00e5910bf257dbb492cb929
SHA512350bdc53ba7c13430c4be1466bd51ecb5d49557f46e0f00133461082f1e26b6237610cf528ce21ba05d6ab8b970a934060933b186a72b6401956ce4208db3b0b