Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-12-2023 04:55
Static task
static1
Behavioral task
behavioral1
Sample
0660a83db4bc57f237ce3f736e939f65.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0660a83db4bc57f237ce3f736e939f65.exe
Resource
win10v2004-20231215-en
General
-
Target
0660a83db4bc57f237ce3f736e939f65.exe
-
Size
818KB
-
MD5
0660a83db4bc57f237ce3f736e939f65
-
SHA1
8c26f425b647fc18f08d05bae621bc8ea7ebb9e4
-
SHA256
cee601c8a8d2220d65d6457c6e793ad7a34b08bc6b1ec2d36ed5c8cf50d4c93f
-
SHA512
b1a8bda867e81c16a36809b6108c8067ccc5ef92fec4c4164fef888b4ef313db3abf6b0a863255a07169434952e53e8817c1cad5b0f794bdf5cc610b78a63689
-
SSDEEP
12288:mqnB3Tp+gczyhNSvRbBQHR4qz91hI0zSaNsvz+yuWDVId21NaI+E8tyvXWPzVq/Z:mqppPBG9V8w61edIuBCs1G+
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
smtp.mpjewellers.com - Port:
587 - Username:
[email protected] - Password:
mpjw2013 - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2672-15-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2672-16-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2672-19-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2672-21-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2672-23-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 checkip.dyndns.org 4 freegeoip.app 5 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
0660a83db4bc57f237ce3f736e939f65.exedescription pid process target process PID 2528 set thread context of 2672 2528 0660a83db4bc57f237ce3f736e939f65.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2856 2672 WerFault.exe RegSvcs.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
0660a83db4bc57f237ce3f736e939f65.exeRegSvcs.exepid process 2528 0660a83db4bc57f237ce3f736e939f65.exe 2672 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
0660a83db4bc57f237ce3f736e939f65.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2528 0660a83db4bc57f237ce3f736e939f65.exe Token: SeDebugPrivilege 2672 RegSvcs.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
0660a83db4bc57f237ce3f736e939f65.exeRegSvcs.exedescription pid process target process PID 2528 wrote to memory of 2896 2528 0660a83db4bc57f237ce3f736e939f65.exe schtasks.exe PID 2528 wrote to memory of 2896 2528 0660a83db4bc57f237ce3f736e939f65.exe schtasks.exe PID 2528 wrote to memory of 2896 2528 0660a83db4bc57f237ce3f736e939f65.exe schtasks.exe PID 2528 wrote to memory of 2896 2528 0660a83db4bc57f237ce3f736e939f65.exe schtasks.exe PID 2528 wrote to memory of 2672 2528 0660a83db4bc57f237ce3f736e939f65.exe RegSvcs.exe PID 2528 wrote to memory of 2672 2528 0660a83db4bc57f237ce3f736e939f65.exe RegSvcs.exe PID 2528 wrote to memory of 2672 2528 0660a83db4bc57f237ce3f736e939f65.exe RegSvcs.exe PID 2528 wrote to memory of 2672 2528 0660a83db4bc57f237ce3f736e939f65.exe RegSvcs.exe PID 2528 wrote to memory of 2672 2528 0660a83db4bc57f237ce3f736e939f65.exe RegSvcs.exe PID 2528 wrote to memory of 2672 2528 0660a83db4bc57f237ce3f736e939f65.exe RegSvcs.exe PID 2528 wrote to memory of 2672 2528 0660a83db4bc57f237ce3f736e939f65.exe RegSvcs.exe PID 2528 wrote to memory of 2672 2528 0660a83db4bc57f237ce3f736e939f65.exe RegSvcs.exe PID 2528 wrote to memory of 2672 2528 0660a83db4bc57f237ce3f736e939f65.exe RegSvcs.exe PID 2528 wrote to memory of 2672 2528 0660a83db4bc57f237ce3f736e939f65.exe RegSvcs.exe PID 2528 wrote to memory of 2672 2528 0660a83db4bc57f237ce3f736e939f65.exe RegSvcs.exe PID 2528 wrote to memory of 2672 2528 0660a83db4bc57f237ce3f736e939f65.exe RegSvcs.exe PID 2672 wrote to memory of 2856 2672 RegSvcs.exe WerFault.exe PID 2672 wrote to memory of 2856 2672 RegSvcs.exe WerFault.exe PID 2672 wrote to memory of 2856 2672 RegSvcs.exe WerFault.exe PID 2672 wrote to memory of 2856 2672 RegSvcs.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0660a83db4bc57f237ce3f736e939f65.exe"C:\Users\Admin\AppData\Local\Temp\0660a83db4bc57f237ce3f736e939f65.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NDtqckbCHv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3082.tmp"2⤵
- Creates scheduled task(s)
PID:2896 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 14963⤵
- Program crash
PID:2856
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58cbfe32279342fe472ed69ca494e6202
SHA16adc97b6b2aecb98df1b68e35f8705bbedb4d5e2
SHA2569ff95d64f957aa5e18eafe7bf9944c901992f9cf32c8cceea2709785a868da76
SHA5125f4b272121889671f57be5a5cef240b5c5e6cfa004e87c702fd0d4e41cff55e55d928c6f23b1b2aa196450f732b4ca96ffc564e51db1f8e52d66a91dc9b152e3