Analysis
-
max time kernel
104s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2023 13:38
Static task
static1
Behavioral task
behavioral1
Sample
22554080f932d465ce13118732d03a9e.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
22554080f932d465ce13118732d03a9e.exe
Resource
win10v2004-20231215-en
General
-
Target
22554080f932d465ce13118732d03a9e.exe
-
Size
997KB
-
MD5
22554080f932d465ce13118732d03a9e
-
SHA1
6eb832f18ce2720a07ea504583258d213906f4d0
-
SHA256
9ca62f576b0ea3feaa04743aa626fefc4ff511b17d3532b3d90bd47c65b6fa2d
-
SHA512
99ad632d268ee0299841b2d024ae3aea88cd83eb7e72fc35184e7f434f0de7418592063dbb59ddf116ec2d60056aca1786754899f1cf0c2bc76073886fdfab18
-
SSDEEP
24576:8K68ABhkJEZ5/dxNK64JGPeqkdsuJ+NRWqwOUER:8KO6CK64J2BuwKvW
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
smtp.fireacoustics.com - Port:
587 - Username:
[email protected] - Password:
_d:rzD~62Jxh - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1384-13-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral2/memory/1384-17-0x0000000005380000-0x0000000005390000-memory.dmp family_snakekeylogger -
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
Processes:
resource yara_rule behavioral2/memory/4004-8-0x0000000002AE0000-0x0000000002AF2000-memory.dmp CustAttr -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 82 checkip.dyndns.org 84 freegeoip.app 85 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
22554080f932d465ce13118732d03a9e.exedescription pid process target process PID 4004 set thread context of 1384 4004 22554080f932d465ce13118732d03a9e.exe MSBuild.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1748 1384 WerFault.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
22554080f932d465ce13118732d03a9e.exeMSBuild.exepid process 4004 22554080f932d465ce13118732d03a9e.exe 4004 22554080f932d465ce13118732d03a9e.exe 1384 MSBuild.exe 1384 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
22554080f932d465ce13118732d03a9e.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 4004 22554080f932d465ce13118732d03a9e.exe Token: SeDebugPrivilege 1384 MSBuild.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
22554080f932d465ce13118732d03a9e.exedescription pid process target process PID 4004 wrote to memory of 4168 4004 22554080f932d465ce13118732d03a9e.exe MSBuild.exe PID 4004 wrote to memory of 4168 4004 22554080f932d465ce13118732d03a9e.exe MSBuild.exe PID 4004 wrote to memory of 4168 4004 22554080f932d465ce13118732d03a9e.exe MSBuild.exe PID 4004 wrote to memory of 1384 4004 22554080f932d465ce13118732d03a9e.exe MSBuild.exe PID 4004 wrote to memory of 1384 4004 22554080f932d465ce13118732d03a9e.exe MSBuild.exe PID 4004 wrote to memory of 1384 4004 22554080f932d465ce13118732d03a9e.exe MSBuild.exe PID 4004 wrote to memory of 1384 4004 22554080f932d465ce13118732d03a9e.exe MSBuild.exe PID 4004 wrote to memory of 1384 4004 22554080f932d465ce13118732d03a9e.exe MSBuild.exe PID 4004 wrote to memory of 1384 4004 22554080f932d465ce13118732d03a9e.exe MSBuild.exe PID 4004 wrote to memory of 1384 4004 22554080f932d465ce13118732d03a9e.exe MSBuild.exe PID 4004 wrote to memory of 1384 4004 22554080f932d465ce13118732d03a9e.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\22554080f932d465ce13118732d03a9e.exe"C:\Users\Admin\AppData\Local\Temp\22554080f932d465ce13118732d03a9e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵PID:4168
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 17763⤵
- Program crash
PID:1748
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1384 -ip 13841⤵PID:5052