Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    31/01/2024, 00:20

General

  • Target

    82f4ae80360792467e90af85e78fecad.exe

  • Size

    1.2MB

  • MD5

    82f4ae80360792467e90af85e78fecad

  • SHA1

    1c6c2801823fe1287638dc309661ff0a75f87623

  • SHA256

    7bc5eb4d7e5f4a51cc18540b9ed86a607ccf9979d1d19dbfd94335c8b57c70f0

  • SHA512

    ed428169ebc0293b917a53e59129e5f746eb3ef99bd485d6575d7d15fabd2557e40592aa5c8773ff85540f1c37745f464a9a6cdb1f6af19810e7cc2a8e0d91e6

  • SSDEEP

    12288:cMe5cs2aCjt1N5jaL561XniTKwEYYa0S1lFrxuHKEqs1Fiaq3ilSFeUtRFFo:cMeWBhh1N5g61XmKww62cYF/qy4FBtu

Malware Config

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

  • Snake Keylogger payload 18 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe
    "C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe
      "C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2616
      • C:\Users\Admin\AppData\Local\Temp\._cache_82f4ae80360792467e90af85e78fecad.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_82f4ae80360792467e90af85e78fecad.exe"
        3⤵
        • Executes dropped EXE
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1888
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 1888 -s 1616
          4⤵
            PID:1316
        • C:\ProgramData\Synaptics\Synaptics.exe
          "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2572
          • C:\ProgramData\Synaptics\Synaptics.exe
            "C:\ProgramData\Synaptics\Synaptics.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:392
            • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
              "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1100
              • C:\Windows\system32\WerFault.exe
                C:\Windows\system32\WerFault.exe -u -p 1100 -s 1528
                6⤵
                  PID:376

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\Synaptics\Synaptics.exe

              Filesize

              170KB

              MD5

              d37b86ea4fbc8f2e69d08fdebcc22a1a

              SHA1

              088011d4bcd79ebc76a30b8cfc7d8753a400aa2f

              SHA256

              d1cf57a97026eb5b03b697fa792a6d52ab5e2f2f1a60814f105e360871dbe0df

              SHA512

              7b83b5463c356d095a55fd1c6d7571d25b6edc2997202888c5eb8ae42e2eae5fd019e2371a3bf1512b0f0c4161c2d502741e2275b245fb5dc0cf4a45408ef02e

            • C:\ProgramData\Synaptics\Synaptics.exe

              Filesize

              130KB

              MD5

              0945803db5908e0dd2f34a5311609a53

              SHA1

              a9a01c110f787f17797199fd4dd6403073164903

              SHA256

              309495c3228f71a82c738696ed8c3096e2475b3d3082e2808ac910a1ba1ef618

              SHA512

              2ab133496406617456bbaa8a9cce622db2ef3a6e84d4a34e0262b9a33e9438464f4aeda896b26db1784bb277a12988318c1e93854326ab845f22fc0002382172

            • C:\ProgramData\Synaptics\Synaptics.exe

              Filesize

              77KB

              MD5

              9272bb5bf563c9afa040a40943bb85b3

              SHA1

              ce0661f901eaa369f4cebd6d3f2b2da7adf24e18

              SHA256

              7e9890371736c982f41473bf163f6cee4c45e04f35b4a29c14df153a9f6a6fb6

              SHA512

              bf9dc54bd576e28b4159336227f7b837b965ef7ddc64d37dfc70a6905f4a0964a66b63ca4c4b5283be419d7787b6da0c77e977c84fd69d49aa11a888915aaf39

            • C:\ProgramData\Synaptics\Synaptics.exe

              Filesize

              1.2MB

              MD5

              82f4ae80360792467e90af85e78fecad

              SHA1

              1c6c2801823fe1287638dc309661ff0a75f87623

              SHA256

              7bc5eb4d7e5f4a51cc18540b9ed86a607ccf9979d1d19dbfd94335c8b57c70f0

              SHA512

              ed428169ebc0293b917a53e59129e5f746eb3ef99bd485d6575d7d15fabd2557e40592aa5c8773ff85540f1c37745f464a9a6cdb1f6af19810e7cc2a8e0d91e6

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

              Filesize

              1KB

              MD5

              a266bb7dcc38a562631361bbf61dd11b

              SHA1

              3b1efd3a66ea28b16697394703a72ca340a05bd5

              SHA256

              df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

              SHA512

              0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              344B

              MD5

              3a77e31edf7140478b67482628c6f8f6

              SHA1

              807a1194b20b79b5f65ca5c42a3aa577b0439239

              SHA256

              2ee12e03e03afbff04862590215fa99b68fe8408a8f699d4f9831373f9b15475

              SHA512

              0f09c03b65a239f79ce88e78f2b6b50eeb2880929c2e85d4dfbbfbd97f3542482f49879b08d2503374664b73ce456997dad0102e5ae69ec589648221b4c33544

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

              Filesize

              242B

              MD5

              93ed4b5b031dee796043925b3508aa26

              SHA1

              d47b9b45c18e19f233f5fd4617c658dd94b15dd0

              SHA256

              8c9b80f6e4ea43704fc2770c93d56527807f369b54e1545bdcd1aa76bfa2ce47

              SHA512

              cd2041a9e8907fe18a36158cfd2c3ecaff163217ae07ef70bbc8617863449692aad72cd831eb61ca576a2c106efef2a6db66a615909c5dd64d78dcacf9a4d4e8

            • C:\Users\Admin\AppData\Local\Temp\._cache_82f4ae80360792467e90af85e78fecad.exe

              Filesize

              64KB

              MD5

              3adc46c5b68c4c1c0d029a0f3206a614

              SHA1

              a05769c7527a9e0f9e5c9ead1c91a035689d3192

              SHA256

              db380f07b3c8ba749dd654d82bc51e20606f4d1aa60a9074938c5bc2fe4e4737

              SHA512

              0b012589bb83ddb682be17f7d18c6f2ffa9e1acef74c51a8c6655e9b686ce75672c168fc86833d3cf1cad0f470832e272164c8fc6cae1c48db00686e95f579ce

            • C:\Users\Admin\AppData\Local\Temp\._cache_82f4ae80360792467e90af85e78fecad.exe

              Filesize

              94KB

              MD5

              b85a136a56c28d15d489815e46ce743b

              SHA1

              ea6911fea1c703521beba74cc9c9b04ee2710f80

              SHA256

              004799c0ade9fddc9501b4df5b8af4a7e63999af70933c2bb5a859752da5d719

              SHA512

              7c5dc77afc33fe4ff30c244ec48c4035db4c3d648e0649e4de45ae3630d8a8d7920f51bc2be058f971aabe725883f12b939c15c3d5b2730a9e1b8772db50a7d8

            • C:\Users\Admin\AppData\Local\Temp\Cab3A90.tmp

              Filesize

              65KB

              MD5

              ac05d27423a85adc1622c714f2cb6184

              SHA1

              b0fe2b1abddb97837ea0195be70ab2ff14d43198

              SHA256

              c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

              SHA512

              6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

            • \ProgramData\Synaptics\Synaptics.exe

              Filesize

              133KB

              MD5

              79f4d6d7d09ef0b45bfed172492b8578

              SHA1

              4bcfcaf7a6f09dae1af6cf751ace233576c82884

              SHA256

              6df68dacffebe92d496d06686257434b0daefe6ec1b92024cfd8a2863cbb94bf

              SHA512

              79d006e7031604d292ae63123cc4ee64794603b2d7b7992fb24a64a73b2f37e1466c15a1f7d6e473add34aaef5ae3ba9af6d604e7df14da783d38aee78e12a57

            • \Users\Admin\AppData\Local\Temp\._cache_82f4ae80360792467e90af85e78fecad.exe

              Filesize

              121KB

              MD5

              21cbcd7e0dbd6eeb8eec1200ef03c974

              SHA1

              90935710302cca3d5a5c73d5e6d7c88c7cd82331

              SHA256

              7785ce1ba96c1fcb4c4c54205b5a989bf9652b62009ad7aadc8282d639d6e95b

              SHA512

              6762dc75623a893d5c34edc6da72c9a2d2e94bf14fb2d482c8af87fd048b77e80e48e293cc6d08759316f71ec06e64483740d567a0a6e6df800d166bae40bb71

            • memory/392-91-0x0000000000400000-0x00000000004E0000-memory.dmp

              Filesize

              896KB

            • memory/392-85-0x0000000000080000-0x0000000000081000-memory.dmp

              Filesize

              4KB

            • memory/392-82-0x0000000000400000-0x00000000004E0000-memory.dmp

              Filesize

              896KB

            • memory/392-94-0x0000000000400000-0x00000000004E0000-memory.dmp

              Filesize

              896KB

            • memory/392-98-0x0000000000080000-0x0000000000081000-memory.dmp

              Filesize

              4KB

            • memory/392-97-0x0000000000400000-0x00000000004E0000-memory.dmp

              Filesize

              896KB

            • memory/392-80-0x0000000000400000-0x00000000004E0000-memory.dmp

              Filesize

              896KB

            • memory/392-134-0x0000000000400000-0x00000000004E0000-memory.dmp

              Filesize

              896KB

            • memory/392-75-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

              Filesize

              4KB

            • memory/1100-93-0x0000000000AC0000-0x0000000000AE4000-memory.dmp

              Filesize

              144KB

            • memory/1100-95-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

              Filesize

              9.9MB

            • memory/1100-96-0x000000001AC40000-0x000000001ACC0000-memory.dmp

              Filesize

              512KB

            • memory/1100-99-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

              Filesize

              9.9MB

            • memory/1100-100-0x000000001AC40000-0x000000001ACC0000-memory.dmp

              Filesize

              512KB

            • memory/1888-65-0x0000000000D40000-0x0000000000DC0000-memory.dmp

              Filesize

              512KB

            • memory/1888-62-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

              Filesize

              9.9MB

            • memory/1888-47-0x0000000000D40000-0x0000000000DC0000-memory.dmp

              Filesize

              512KB

            • memory/1888-43-0x0000000001220000-0x0000000001244000-memory.dmp

              Filesize

              144KB

            • memory/1888-44-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

              Filesize

              9.9MB

            • memory/2248-5-0x0000000004EC0000-0x0000000004F00000-memory.dmp

              Filesize

              256KB

            • memory/2248-1-0x0000000073FD0000-0x00000000746BE000-memory.dmp

              Filesize

              6.9MB

            • memory/2248-3-0x0000000000360000-0x0000000000378000-memory.dmp

              Filesize

              96KB

            • memory/2248-4-0x0000000073FD0000-0x00000000746BE000-memory.dmp

              Filesize

              6.9MB

            • memory/2248-2-0x0000000004EC0000-0x0000000004F00000-memory.dmp

              Filesize

              256KB

            • memory/2248-20-0x0000000073FD0000-0x00000000746BE000-memory.dmp

              Filesize

              6.9MB

            • memory/2248-6-0x0000000008060000-0x0000000008162000-memory.dmp

              Filesize

              1.0MB

            • memory/2248-0-0x0000000000C90000-0x0000000000DC0000-memory.dmp

              Filesize

              1.2MB

            • memory/2248-7-0x0000000008160000-0x0000000008248000-memory.dmp

              Filesize

              928KB

            • memory/2572-45-0x0000000072CD0000-0x00000000733BE000-memory.dmp

              Filesize

              6.9MB

            • memory/2572-42-0x0000000000EF0000-0x0000000001020000-memory.dmp

              Filesize

              1.2MB

            • memory/2572-63-0x0000000072CD0000-0x00000000733BE000-memory.dmp

              Filesize

              6.9MB

            • memory/2572-81-0x0000000072CD0000-0x00000000733BE000-memory.dmp

              Filesize

              6.9MB

            • memory/2572-46-0x0000000004F20000-0x0000000004F60000-memory.dmp

              Filesize

              256KB

            • memory/2572-64-0x0000000004F20000-0x0000000004F60000-memory.dmp

              Filesize

              256KB

            • memory/2616-10-0x0000000000400000-0x00000000004E0000-memory.dmp

              Filesize

              896KB

            • memory/2616-13-0x0000000000400000-0x00000000004E0000-memory.dmp

              Filesize

              896KB

            • memory/2616-8-0x0000000000400000-0x00000000004E0000-memory.dmp

              Filesize

              896KB

            • memory/2616-40-0x0000000000400000-0x00000000004E0000-memory.dmp

              Filesize

              896KB

            • memory/2616-11-0x0000000000400000-0x00000000004E0000-memory.dmp

              Filesize

              896KB

            • memory/2616-12-0x0000000000400000-0x00000000004E0000-memory.dmp

              Filesize

              896KB

            • memory/2616-21-0x0000000000400000-0x00000000004E0000-memory.dmp

              Filesize

              896KB

            • memory/2616-22-0x0000000000090000-0x0000000000091000-memory.dmp

              Filesize

              4KB

            • memory/2616-14-0x0000000000400000-0x00000000004E0000-memory.dmp

              Filesize

              896KB

            • memory/2616-19-0x0000000000400000-0x00000000004E0000-memory.dmp

              Filesize

              896KB

            • memory/2616-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

              Filesize

              4KB

            • memory/2616-17-0x0000000000400000-0x00000000004E0000-memory.dmp

              Filesize

              896KB

            • memory/2616-18-0x0000000000400000-0x00000000004E0000-memory.dmp

              Filesize

              896KB

            • memory/2616-9-0x0000000000400000-0x00000000004E0000-memory.dmp

              Filesize

              896KB