Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/01/2024, 22:22
Static task
static1
Behavioral task
behavioral1
Sample
82b6aefc08b359173217678342f22080.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
82b6aefc08b359173217678342f22080.exe
Resource
win10v2004-20231222-en
General
-
Target
82b6aefc08b359173217678342f22080.exe
-
Size
1.3MB
-
MD5
82b6aefc08b359173217678342f22080
-
SHA1
7318475d895614ffe34e690045674ac46331e26e
-
SHA256
9be1467f145c688ecea5a3c8e25d870a53da1f17b3c7de248ef57123fa2b32ca
-
SHA512
c6af2a1bd5c1cbd306a99dd3bd7090de00eeef806d7260cd569093a3d7649125a67b9d7b4ac2944fda0a2884f2e17865b88fd904bd221eb2bc7ea6f4ba08b6ab
-
SSDEEP
12288:Vc9JbxZOZJz4Cs1MGtbgE6vtx+GC84jvYV7uKqSJrg3yFwEn0wvqybK4HtLGEUBI:m/OP/GFz6vj+hzs8
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.niftylabs.com - Port:
587 - Username:
[email protected] - Password:
MM3NDDU4K3WI - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 7 IoCs
resource yara_rule behavioral1/memory/2624-14-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2624-15-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2624-18-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2624-20-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2624-22-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2624-25-0x0000000004980000-0x00000000049C0000-memory.dmp family_snakekeylogger behavioral1/memory/2624-27-0x0000000004980000-0x00000000049C0000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org 8 freegeoip.app 9 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2964 set thread context of 2624 2964 82b6aefc08b359173217678342f22080.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1104 2624 WerFault.exe 30 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2332 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2624 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2964 82b6aefc08b359173217678342f22080.exe Token: SeDebugPrivilege 2624 RegSvcs.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2964 wrote to memory of 2332 2964 82b6aefc08b359173217678342f22080.exe 28 PID 2964 wrote to memory of 2332 2964 82b6aefc08b359173217678342f22080.exe 28 PID 2964 wrote to memory of 2332 2964 82b6aefc08b359173217678342f22080.exe 28 PID 2964 wrote to memory of 2332 2964 82b6aefc08b359173217678342f22080.exe 28 PID 2964 wrote to memory of 2624 2964 82b6aefc08b359173217678342f22080.exe 30 PID 2964 wrote to memory of 2624 2964 82b6aefc08b359173217678342f22080.exe 30 PID 2964 wrote to memory of 2624 2964 82b6aefc08b359173217678342f22080.exe 30 PID 2964 wrote to memory of 2624 2964 82b6aefc08b359173217678342f22080.exe 30 PID 2964 wrote to memory of 2624 2964 82b6aefc08b359173217678342f22080.exe 30 PID 2964 wrote to memory of 2624 2964 82b6aefc08b359173217678342f22080.exe 30 PID 2964 wrote to memory of 2624 2964 82b6aefc08b359173217678342f22080.exe 30 PID 2964 wrote to memory of 2624 2964 82b6aefc08b359173217678342f22080.exe 30 PID 2964 wrote to memory of 2624 2964 82b6aefc08b359173217678342f22080.exe 30 PID 2964 wrote to memory of 2624 2964 82b6aefc08b359173217678342f22080.exe 30 PID 2964 wrote to memory of 2624 2964 82b6aefc08b359173217678342f22080.exe 30 PID 2964 wrote to memory of 2624 2964 82b6aefc08b359173217678342f22080.exe 30 PID 2624 wrote to memory of 1104 2624 RegSvcs.exe 33 PID 2624 wrote to memory of 1104 2624 RegSvcs.exe 33 PID 2624 wrote to memory of 1104 2624 RegSvcs.exe 33 PID 2624 wrote to memory of 1104 2624 RegSvcs.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe"C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ikzxGmHjkZst" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCBA8.tmp"2⤵
- Creates scheduled task(s)
PID:2332
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 15883⤵
- Program crash
PID:1104
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5127bfc87769cb3ceaaad3d86895b1901
SHA16d89ca094d8d990be8a074c6c61cf84857357793
SHA256f2fd4757cd145e96d41e2b67da9089b0ebf374d4c36cfa2dc4141ed9a6292b80
SHA512ac976e4bff38d5dbc89e1861d1600f4c35e7e2817836a0b0f92d0647c0653091cba05db0677db0ddee3afb0cad34bbdce467232c7ba3240fe693b91e8dc0099b