Analysis
-
max time kernel
141s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2023 16:57
Static task
static1
Behavioral task
behavioral1
Sample
2efb7a094b303bdb0caf62dd8d676963.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2efb7a094b303bdb0caf62dd8d676963.exe
Resource
win10v2004-20231215-en
General
-
Target
2efb7a094b303bdb0caf62dd8d676963.exe
-
Size
844KB
-
MD5
2efb7a094b303bdb0caf62dd8d676963
-
SHA1
70a4fdaff3eb7dcefe8b472a515341ad216c2e49
-
SHA256
14b33650cf6497ab5a9f973f61ca8b43ad33a0b1a85f378345f51855567f4d2a
-
SHA512
5f930d4be2c259a40ec1abf2102124e36f2c17f2026ee5d23b868e9ea9c5efeee17e09eb955d2594bcaa668778d5ff00c6d2950935802e370ab99f32af42d6b9
-
SSDEEP
12288:b2VrmcC2EsNa7iS/d348n0PhybuVj5T8h7GzULMMENOvgfXtUKA4qX:MrzVhlS/d3j6Vj5ghp2NOYqKS
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.ccmainoffice.com - Port:
587 - Username:
[email protected] - Password:
QAZqaz123@ - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4232-12-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger -
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
Processes:
resource yara_rule behavioral2/memory/4896-7-0x0000000002450000-0x0000000002462000-memory.dmp CustAttr -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 72 checkip.dyndns.org 78 freegeoip.app 80 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2efb7a094b303bdb0caf62dd8d676963.exedescription pid process target process PID 4896 set thread context of 4232 4896 2efb7a094b303bdb0caf62dd8d676963.exe 2efb7a094b303bdb0caf62dd8d676963.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4836 4232 WerFault.exe 2efb7a094b303bdb0caf62dd8d676963.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
2efb7a094b303bdb0caf62dd8d676963.exe2efb7a094b303bdb0caf62dd8d676963.exepid process 4896 2efb7a094b303bdb0caf62dd8d676963.exe 4896 2efb7a094b303bdb0caf62dd8d676963.exe 4896 2efb7a094b303bdb0caf62dd8d676963.exe 4896 2efb7a094b303bdb0caf62dd8d676963.exe 4232 2efb7a094b303bdb0caf62dd8d676963.exe 4232 2efb7a094b303bdb0caf62dd8d676963.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2efb7a094b303bdb0caf62dd8d676963.exe2efb7a094b303bdb0caf62dd8d676963.exedescription pid process Token: SeDebugPrivilege 4896 2efb7a094b303bdb0caf62dd8d676963.exe Token: SeDebugPrivilege 4232 2efb7a094b303bdb0caf62dd8d676963.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
2efb7a094b303bdb0caf62dd8d676963.exedescription pid process target process PID 4896 wrote to memory of 4772 4896 2efb7a094b303bdb0caf62dd8d676963.exe 2efb7a094b303bdb0caf62dd8d676963.exe PID 4896 wrote to memory of 4772 4896 2efb7a094b303bdb0caf62dd8d676963.exe 2efb7a094b303bdb0caf62dd8d676963.exe PID 4896 wrote to memory of 4772 4896 2efb7a094b303bdb0caf62dd8d676963.exe 2efb7a094b303bdb0caf62dd8d676963.exe PID 4896 wrote to memory of 4232 4896 2efb7a094b303bdb0caf62dd8d676963.exe 2efb7a094b303bdb0caf62dd8d676963.exe PID 4896 wrote to memory of 4232 4896 2efb7a094b303bdb0caf62dd8d676963.exe 2efb7a094b303bdb0caf62dd8d676963.exe PID 4896 wrote to memory of 4232 4896 2efb7a094b303bdb0caf62dd8d676963.exe 2efb7a094b303bdb0caf62dd8d676963.exe PID 4896 wrote to memory of 4232 4896 2efb7a094b303bdb0caf62dd8d676963.exe 2efb7a094b303bdb0caf62dd8d676963.exe PID 4896 wrote to memory of 4232 4896 2efb7a094b303bdb0caf62dd8d676963.exe 2efb7a094b303bdb0caf62dd8d676963.exe PID 4896 wrote to memory of 4232 4896 2efb7a094b303bdb0caf62dd8d676963.exe 2efb7a094b303bdb0caf62dd8d676963.exe PID 4896 wrote to memory of 4232 4896 2efb7a094b303bdb0caf62dd8d676963.exe 2efb7a094b303bdb0caf62dd8d676963.exe PID 4896 wrote to memory of 4232 4896 2efb7a094b303bdb0caf62dd8d676963.exe 2efb7a094b303bdb0caf62dd8d676963.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2efb7a094b303bdb0caf62dd8d676963.exe"C:\Users\Admin\AppData\Local\Temp\2efb7a094b303bdb0caf62dd8d676963.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\2efb7a094b303bdb0caf62dd8d676963.exe"C:\Users\Admin\AppData\Local\Temp\2efb7a094b303bdb0caf62dd8d676963.exe"2⤵PID:4772
-
C:\Users\Admin\AppData\Local\Temp\2efb7a094b303bdb0caf62dd8d676963.exe"C:\Users\Admin\AppData\Local\Temp\2efb7a094b303bdb0caf62dd8d676963.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4232 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 18163⤵
- Program crash
PID:4836
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4232 -ip 42321⤵PID:956