Analysis
-
max time kernel
64s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2023 04:53
Static task
static1
Behavioral task
behavioral1
Sample
063f5ca54ca7abd4d74a16b9bfa7083f.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
063f5ca54ca7abd4d74a16b9bfa7083f.exe
Resource
win10v2004-20231215-en
General
-
Target
063f5ca54ca7abd4d74a16b9bfa7083f.exe
-
Size
468KB
-
MD5
063f5ca54ca7abd4d74a16b9bfa7083f
-
SHA1
75043ba263fdcbc5581eae2b8de080776a8f0058
-
SHA256
4f54be824a67f26e4efd110706d90d95989e2aabc10584a1c5dff911dd653d03
-
SHA512
ce667cf8ef3a90a935382d292d7810e74da343a70497d21d7041d8a90308f8ff2e611ea37c68353b0749f2b36e4feb6a7e3097ce48e3e689d00360fe51c5197a
-
SSDEEP
12288:O3Na9imfQu7Lv2mUHQ7fJa4ofNNUckb7/:O3NUimfhSc7fPLcc/
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
netjul.shop - Port:
587 - Username:
[email protected] - Password:
83{2L@#$IXq!! - Email To:
[email protected]
Signatures
-
Detect ZGRat V1 34 IoCs
Processes:
resource yara_rule behavioral2/memory/3672-8-0x00000000068B0000-0x000000000692E000-memory.dmp family_zgrat_v1 behavioral2/memory/3672-28-0x00000000068B0000-0x0000000006929000-memory.dmp family_zgrat_v1 behavioral2/memory/3672-40-0x00000000068B0000-0x0000000006929000-memory.dmp family_zgrat_v1 behavioral2/memory/3672-38-0x00000000068B0000-0x0000000006929000-memory.dmp family_zgrat_v1 behavioral2/memory/3672-60-0x00000000068B0000-0x0000000006929000-memory.dmp family_zgrat_v1 behavioral2/memory/3672-72-0x00000000068B0000-0x0000000006929000-memory.dmp family_zgrat_v1 behavioral2/memory/3672-70-0x00000000068B0000-0x0000000006929000-memory.dmp family_zgrat_v1 behavioral2/memory/3672-68-0x00000000068B0000-0x0000000006929000-memory.dmp family_zgrat_v1 behavioral2/memory/3672-66-0x00000000068B0000-0x0000000006929000-memory.dmp family_zgrat_v1 behavioral2/memory/3672-64-0x00000000068B0000-0x0000000006929000-memory.dmp family_zgrat_v1 behavioral2/memory/3672-62-0x00000000068B0000-0x0000000006929000-memory.dmp family_zgrat_v1 behavioral2/memory/3672-58-0x00000000068B0000-0x0000000006929000-memory.dmp family_zgrat_v1 behavioral2/memory/3672-56-0x00000000068B0000-0x0000000006929000-memory.dmp family_zgrat_v1 behavioral2/memory/3672-54-0x00000000068B0000-0x0000000006929000-memory.dmp family_zgrat_v1 behavioral2/memory/3672-52-0x00000000068B0000-0x0000000006929000-memory.dmp family_zgrat_v1 behavioral2/memory/3672-50-0x00000000068B0000-0x0000000006929000-memory.dmp family_zgrat_v1 behavioral2/memory/3672-48-0x00000000068B0000-0x0000000006929000-memory.dmp family_zgrat_v1 behavioral2/memory/3672-46-0x00000000068B0000-0x0000000006929000-memory.dmp family_zgrat_v1 behavioral2/memory/3672-44-0x00000000068B0000-0x0000000006929000-memory.dmp family_zgrat_v1 behavioral2/memory/3672-42-0x00000000068B0000-0x0000000006929000-memory.dmp family_zgrat_v1 behavioral2/memory/3672-36-0x00000000068B0000-0x0000000006929000-memory.dmp family_zgrat_v1 behavioral2/memory/3672-34-0x00000000068B0000-0x0000000006929000-memory.dmp family_zgrat_v1 behavioral2/memory/3672-32-0x00000000068B0000-0x0000000006929000-memory.dmp family_zgrat_v1 behavioral2/memory/3672-30-0x00000000068B0000-0x0000000006929000-memory.dmp family_zgrat_v1 behavioral2/memory/3672-26-0x00000000068B0000-0x0000000006929000-memory.dmp family_zgrat_v1 behavioral2/memory/3672-24-0x00000000068B0000-0x0000000006929000-memory.dmp family_zgrat_v1 behavioral2/memory/3672-22-0x00000000068B0000-0x0000000006929000-memory.dmp family_zgrat_v1 behavioral2/memory/3672-20-0x00000000068B0000-0x0000000006929000-memory.dmp family_zgrat_v1 behavioral2/memory/3672-18-0x00000000068B0000-0x0000000006929000-memory.dmp family_zgrat_v1 behavioral2/memory/3672-16-0x00000000068B0000-0x0000000006929000-memory.dmp family_zgrat_v1 behavioral2/memory/3672-14-0x00000000068B0000-0x0000000006929000-memory.dmp family_zgrat_v1 behavioral2/memory/3672-12-0x00000000068B0000-0x0000000006929000-memory.dmp family_zgrat_v1 behavioral2/memory/3672-10-0x00000000068B0000-0x0000000006929000-memory.dmp family_zgrat_v1 behavioral2/memory/3672-9-0x00000000068B0000-0x0000000006929000-memory.dmp family_zgrat_v1 -
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4300-2408-0x0000000000400000-0x0000000000422000-memory.dmp family_snakekeylogger -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
063f5ca54ca7abd4d74a16b9bfa7083f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chrome = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\chrom\\chrome.exe\"" 063f5ca54ca7abd4d74a16b9bfa7083f.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 134 freegeoip.app 135 freegeoip.app 131 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
063f5ca54ca7abd4d74a16b9bfa7083f.exedescription pid process target process PID 3672 set thread context of 4300 3672 063f5ca54ca7abd4d74a16b9bfa7083f.exe 063f5ca54ca7abd4d74a16b9bfa7083f.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3364 4300 WerFault.exe 063f5ca54ca7abd4d74a16b9bfa7083f.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
063f5ca54ca7abd4d74a16b9bfa7083f.exe063f5ca54ca7abd4d74a16b9bfa7083f.exepid process 3672 063f5ca54ca7abd4d74a16b9bfa7083f.exe 3672 063f5ca54ca7abd4d74a16b9bfa7083f.exe 3672 063f5ca54ca7abd4d74a16b9bfa7083f.exe 3672 063f5ca54ca7abd4d74a16b9bfa7083f.exe 3672 063f5ca54ca7abd4d74a16b9bfa7083f.exe 3672 063f5ca54ca7abd4d74a16b9bfa7083f.exe 4300 063f5ca54ca7abd4d74a16b9bfa7083f.exe 4300 063f5ca54ca7abd4d74a16b9bfa7083f.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
063f5ca54ca7abd4d74a16b9bfa7083f.exe063f5ca54ca7abd4d74a16b9bfa7083f.exedescription pid process Token: SeDebugPrivilege 3672 063f5ca54ca7abd4d74a16b9bfa7083f.exe Token: SeDebugPrivilege 4300 063f5ca54ca7abd4d74a16b9bfa7083f.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
063f5ca54ca7abd4d74a16b9bfa7083f.exedescription pid process target process PID 3672 wrote to memory of 2244 3672 063f5ca54ca7abd4d74a16b9bfa7083f.exe 063f5ca54ca7abd4d74a16b9bfa7083f.exe PID 3672 wrote to memory of 2244 3672 063f5ca54ca7abd4d74a16b9bfa7083f.exe 063f5ca54ca7abd4d74a16b9bfa7083f.exe PID 3672 wrote to memory of 2244 3672 063f5ca54ca7abd4d74a16b9bfa7083f.exe 063f5ca54ca7abd4d74a16b9bfa7083f.exe PID 3672 wrote to memory of 4300 3672 063f5ca54ca7abd4d74a16b9bfa7083f.exe 063f5ca54ca7abd4d74a16b9bfa7083f.exe PID 3672 wrote to memory of 4300 3672 063f5ca54ca7abd4d74a16b9bfa7083f.exe 063f5ca54ca7abd4d74a16b9bfa7083f.exe PID 3672 wrote to memory of 4300 3672 063f5ca54ca7abd4d74a16b9bfa7083f.exe 063f5ca54ca7abd4d74a16b9bfa7083f.exe PID 3672 wrote to memory of 4300 3672 063f5ca54ca7abd4d74a16b9bfa7083f.exe 063f5ca54ca7abd4d74a16b9bfa7083f.exe PID 3672 wrote to memory of 4300 3672 063f5ca54ca7abd4d74a16b9bfa7083f.exe 063f5ca54ca7abd4d74a16b9bfa7083f.exe PID 3672 wrote to memory of 4300 3672 063f5ca54ca7abd4d74a16b9bfa7083f.exe 063f5ca54ca7abd4d74a16b9bfa7083f.exe PID 3672 wrote to memory of 4300 3672 063f5ca54ca7abd4d74a16b9bfa7083f.exe 063f5ca54ca7abd4d74a16b9bfa7083f.exe PID 3672 wrote to memory of 4300 3672 063f5ca54ca7abd4d74a16b9bfa7083f.exe 063f5ca54ca7abd4d74a16b9bfa7083f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\063f5ca54ca7abd4d74a16b9bfa7083f.exe"C:\Users\Admin\AppData\Local\Temp\063f5ca54ca7abd4d74a16b9bfa7083f.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Users\Admin\AppData\Local\Temp\063f5ca54ca7abd4d74a16b9bfa7083f.exeC:\Users\Admin\AppData\Local\Temp\063f5ca54ca7abd4d74a16b9bfa7083f.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4300 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 17923⤵
- Program crash
PID:3364 -
C:\Users\Admin\AppData\Local\Temp\063f5ca54ca7abd4d74a16b9bfa7083f.exeC:\Users\Admin\AppData\Local\Temp\063f5ca54ca7abd4d74a16b9bfa7083f.exe2⤵PID:2244
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4300 -ip 43001⤵PID:2304
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\063f5ca54ca7abd4d74a16b9bfa7083f.exe.log
Filesize1KB
MD57ebe314bf617dc3e48b995a6c352740c
SHA1538f643b7b30f9231a3035c448607f767527a870
SHA25648178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8
SHA5120ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e