Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/01/2024, 10:24
Static task
static1
Behavioral task
behavioral1
Sample
8231a3d38bc7b4d80468f51b116054c8.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8231a3d38bc7b4d80468f51b116054c8.exe
Resource
win10v2004-20231215-en
General
-
Target
8231a3d38bc7b4d80468f51b116054c8.exe
-
Size
1003KB
-
MD5
8231a3d38bc7b4d80468f51b116054c8
-
SHA1
3e8a9a6daf2aee6fd2c23cade11f9e60bab26e3a
-
SHA256
09d451633478aca81c8f4c945059160bd9f45fc415e013b1e71f5a07bd865127
-
SHA512
655711c12025172079ea0b07b0c3177004d56d378d1148e5ac6e0c569a46a38958a530b0a26214fa840248df06d98f9c3872e08245e85bd095f7a782d3fdd8a3
-
SSDEEP
24576:9HNiHXt734s2lrIrxT7ZhNlT7dkcOs/h/0S/:9tiHXtDImhX7ecOs/h/0S
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 13 IoCs
resource yara_rule behavioral2/memory/1824-6-0x0000000000400000-0x00000000004E0000-memory.dmp family_snakekeylogger behavioral2/memory/1824-8-0x0000000000400000-0x00000000004E0000-memory.dmp family_snakekeylogger behavioral2/memory/1824-9-0x0000000000400000-0x00000000004E0000-memory.dmp family_snakekeylogger behavioral2/memory/1824-11-0x0000000000400000-0x00000000004E0000-memory.dmp family_snakekeylogger behavioral2/files/0x0007000000023234-17.dat family_snakekeylogger behavioral2/memory/3904-78-0x0000000000E10000-0x0000000000E34000-memory.dmp family_snakekeylogger behavioral2/memory/1824-136-0x0000000000400000-0x00000000004E0000-memory.dmp family_snakekeylogger behavioral2/memory/4360-151-0x0000000000400000-0x00000000004E0000-memory.dmp family_snakekeylogger behavioral2/memory/4360-152-0x0000000000400000-0x00000000004E0000-memory.dmp family_snakekeylogger behavioral2/memory/4360-215-0x0000000000400000-0x00000000004E0000-memory.dmp family_snakekeylogger behavioral2/memory/4360-216-0x0000000000400000-0x00000000004E0000-memory.dmp family_snakekeylogger behavioral2/memory/2192-218-0x000000001B0A0000-0x000000001B0B0000-memory.dmp family_snakekeylogger behavioral2/memory/4360-220-0x0000000000400000-0x00000000004E0000-memory.dmp family_snakekeylogger -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation 8231a3d38bc7b4d80468f51b116054c8.exe Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation Synaptics.exe -
Executes dropped EXE 4 IoCs
pid Process 3904 ._cache_8231a3d38bc7b4d80468f51b116054c8.exe 2084 Synaptics.exe 4360 Synaptics.exe 2192 ._cache_Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 8231a3d38bc7b4d80468f51b116054c8.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 61 freegeoip.app 38 checkip.dyndns.org 40 freegeoip.app 41 freegeoip.app -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 700 set thread context of 1824 700 8231a3d38bc7b4d80468f51b116054c8.exe 92 PID 2084 set thread context of 4360 2084 Synaptics.exe 98 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 8231a3d38bc7b4d80468f51b116054c8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3904 ._cache_8231a3d38bc7b4d80468f51b116054c8.exe 2192 ._cache_Synaptics.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3904 ._cache_8231a3d38bc7b4d80468f51b116054c8.exe Token: SeDebugPrivilege 2192 ._cache_Synaptics.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 700 wrote to memory of 1824 700 8231a3d38bc7b4d80468f51b116054c8.exe 92 PID 700 wrote to memory of 1824 700 8231a3d38bc7b4d80468f51b116054c8.exe 92 PID 700 wrote to memory of 1824 700 8231a3d38bc7b4d80468f51b116054c8.exe 92 PID 700 wrote to memory of 1824 700 8231a3d38bc7b4d80468f51b116054c8.exe 92 PID 700 wrote to memory of 1824 700 8231a3d38bc7b4d80468f51b116054c8.exe 92 PID 700 wrote to memory of 1824 700 8231a3d38bc7b4d80468f51b116054c8.exe 92 PID 700 wrote to memory of 1824 700 8231a3d38bc7b4d80468f51b116054c8.exe 92 PID 700 wrote to memory of 1824 700 8231a3d38bc7b4d80468f51b116054c8.exe 92 PID 700 wrote to memory of 1824 700 8231a3d38bc7b4d80468f51b116054c8.exe 92 PID 700 wrote to memory of 1824 700 8231a3d38bc7b4d80468f51b116054c8.exe 92 PID 700 wrote to memory of 1824 700 8231a3d38bc7b4d80468f51b116054c8.exe 92 PID 1824 wrote to memory of 3904 1824 8231a3d38bc7b4d80468f51b116054c8.exe 93 PID 1824 wrote to memory of 3904 1824 8231a3d38bc7b4d80468f51b116054c8.exe 93 PID 1824 wrote to memory of 2084 1824 8231a3d38bc7b4d80468f51b116054c8.exe 94 PID 1824 wrote to memory of 2084 1824 8231a3d38bc7b4d80468f51b116054c8.exe 94 PID 1824 wrote to memory of 2084 1824 8231a3d38bc7b4d80468f51b116054c8.exe 94 PID 2084 wrote to memory of 4360 2084 Synaptics.exe 98 PID 2084 wrote to memory of 4360 2084 Synaptics.exe 98 PID 2084 wrote to memory of 4360 2084 Synaptics.exe 98 PID 2084 wrote to memory of 4360 2084 Synaptics.exe 98 PID 2084 wrote to memory of 4360 2084 Synaptics.exe 98 PID 2084 wrote to memory of 4360 2084 Synaptics.exe 98 PID 2084 wrote to memory of 4360 2084 Synaptics.exe 98 PID 2084 wrote to memory of 4360 2084 Synaptics.exe 98 PID 2084 wrote to memory of 4360 2084 Synaptics.exe 98 PID 2084 wrote to memory of 4360 2084 Synaptics.exe 98 PID 2084 wrote to memory of 4360 2084 Synaptics.exe 98 PID 4360 wrote to memory of 2192 4360 Synaptics.exe 99 PID 4360 wrote to memory of 2192 4360 Synaptics.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\8231a3d38bc7b4d80468f51b116054c8.exe"C:\Users\Admin\AppData\Local\Temp\8231a3d38bc7b4d80468f51b116054c8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Users\Admin\AppData\Local\Temp\8231a3d38bc7b4d80468f51b116054c8.exe"C:\Users\Admin\AppData\Local\Temp\8231a3d38bc7b4d80468f51b116054c8.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Users\Admin\AppData\Local\Temp\._cache_8231a3d38bc7b4d80468f51b116054c8.exe"C:\Users\Admin\AppData\Local\Temp\._cache_8231a3d38bc7b4d80468f51b116054c8.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3904
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1003KB
MD58231a3d38bc7b4d80468f51b116054c8
SHA13e8a9a6daf2aee6fd2c23cade11f9e60bab26e3a
SHA25609d451633478aca81c8f4c945059160bd9f45fc415e013b1e71f5a07bd865127
SHA512655711c12025172079ea0b07b0c3177004d56d378d1148e5ac6e0c569a46a38958a530b0a26214fa840248df06d98f9c3872e08245e85bd095f7a782d3fdd8a3
-
Filesize
121KB
MD53a5c58c1a52727682465d7925559d21a
SHA1f68665ef6139c41f5767b597924bc6bca3e2796a
SHA256a4a844ffd175602400f333741bc0f3582030eaebb90a19f841c855d539bd2e67
SHA5122f0632dcd10c9424b19678168ff97c2eef959dd31789abbe80c3ed65691dd77037789146656b869fc161c8b8e7682d1f78bd0085a41f2f71e6b1399d47dffee9