Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
31/01/2024, 00:20
Static task
static1
Behavioral task
behavioral1
Sample
82f4ae80360792467e90af85e78fecad.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
82f4ae80360792467e90af85e78fecad.exe
Resource
win10v2004-20231222-en
General
-
Target
82f4ae80360792467e90af85e78fecad.exe
-
Size
1.2MB
-
MD5
82f4ae80360792467e90af85e78fecad
-
SHA1
1c6c2801823fe1287638dc309661ff0a75f87623
-
SHA256
7bc5eb4d7e5f4a51cc18540b9ed86a607ccf9979d1d19dbfd94335c8b57c70f0
-
SHA512
ed428169ebc0293b917a53e59129e5f746eb3ef99bd485d6575d7d15fabd2557e40592aa5c8773ff85540f1c37745f464a9a6cdb1f6af19810e7cc2a8e0d91e6
-
SSDEEP
12288:cMe5cs2aCjt1N5jaL561XniTKwEYYa0S1lFrxuHKEqs1Fiaq3ilSFeUtRFFo:cMeWBhh1N5g61XmKww62cYF/qy4FBtu
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 13 IoCs
resource yara_rule behavioral2/memory/4464-13-0x0000000000400000-0x00000000004E0000-memory.dmp family_snakekeylogger behavioral2/memory/4464-12-0x0000000000400000-0x00000000004E0000-memory.dmp family_snakekeylogger behavioral2/memory/4464-15-0x0000000000400000-0x00000000004E0000-memory.dmp family_snakekeylogger behavioral2/memory/4464-16-0x0000000000400000-0x00000000004E0000-memory.dmp family_snakekeylogger behavioral2/files/0x00070000000231fc-23.dat family_snakekeylogger behavioral2/memory/4772-85-0x0000000000580000-0x00000000005A4000-memory.dmp family_snakekeylogger behavioral2/memory/4464-144-0x0000000000400000-0x00000000004E0000-memory.dmp family_snakekeylogger behavioral2/memory/1664-155-0x0000000000400000-0x00000000004E0000-memory.dmp family_snakekeylogger behavioral2/memory/1664-157-0x0000000000400000-0x00000000004E0000-memory.dmp family_snakekeylogger behavioral2/memory/1664-252-0x0000000000400000-0x00000000004E0000-memory.dmp family_snakekeylogger behavioral2/memory/1664-253-0x0000000000400000-0x00000000004E0000-memory.dmp family_snakekeylogger behavioral2/memory/1664-257-0x0000000000400000-0x00000000004E0000-memory.dmp family_snakekeylogger behavioral2/memory/1664-283-0x0000000000400000-0x00000000004E0000-memory.dmp family_snakekeylogger -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation Synaptics.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 82f4ae80360792467e90af85e78fecad.exe -
Executes dropped EXE 4 IoCs
pid Process 4772 ._cache_82f4ae80360792467e90af85e78fecad.exe 1232 Synaptics.exe 1664 Synaptics.exe 1624 ._cache_Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 82f4ae80360792467e90af85e78fecad.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 35 checkip.dyndns.org 37 freegeoip.app 38 freegeoip.app 47 freegeoip.app -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3076 set thread context of 4464 3076 82f4ae80360792467e90af85e78fecad.exe 97 PID 1232 set thread context of 1664 1232 Synaptics.exe 103 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 82f4ae80360792467e90af85e78fecad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4944 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3076 82f4ae80360792467e90af85e78fecad.exe 3076 82f4ae80360792467e90af85e78fecad.exe 4772 ._cache_82f4ae80360792467e90af85e78fecad.exe 1624 ._cache_Synaptics.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3076 82f4ae80360792467e90af85e78fecad.exe Token: SeDebugPrivilege 4772 ._cache_82f4ae80360792467e90af85e78fecad.exe Token: SeDebugPrivilege 1624 ._cache_Synaptics.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4944 EXCEL.EXE 4944 EXCEL.EXE 4944 EXCEL.EXE 4944 EXCEL.EXE -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 3076 wrote to memory of 3400 3076 82f4ae80360792467e90af85e78fecad.exe 96 PID 3076 wrote to memory of 3400 3076 82f4ae80360792467e90af85e78fecad.exe 96 PID 3076 wrote to memory of 3400 3076 82f4ae80360792467e90af85e78fecad.exe 96 PID 3076 wrote to memory of 4464 3076 82f4ae80360792467e90af85e78fecad.exe 97 PID 3076 wrote to memory of 4464 3076 82f4ae80360792467e90af85e78fecad.exe 97 PID 3076 wrote to memory of 4464 3076 82f4ae80360792467e90af85e78fecad.exe 97 PID 3076 wrote to memory of 4464 3076 82f4ae80360792467e90af85e78fecad.exe 97 PID 3076 wrote to memory of 4464 3076 82f4ae80360792467e90af85e78fecad.exe 97 PID 3076 wrote to memory of 4464 3076 82f4ae80360792467e90af85e78fecad.exe 97 PID 3076 wrote to memory of 4464 3076 82f4ae80360792467e90af85e78fecad.exe 97 PID 3076 wrote to memory of 4464 3076 82f4ae80360792467e90af85e78fecad.exe 97 PID 3076 wrote to memory of 4464 3076 82f4ae80360792467e90af85e78fecad.exe 97 PID 3076 wrote to memory of 4464 3076 82f4ae80360792467e90af85e78fecad.exe 97 PID 3076 wrote to memory of 4464 3076 82f4ae80360792467e90af85e78fecad.exe 97 PID 4464 wrote to memory of 4772 4464 82f4ae80360792467e90af85e78fecad.exe 99 PID 4464 wrote to memory of 4772 4464 82f4ae80360792467e90af85e78fecad.exe 99 PID 4464 wrote to memory of 1232 4464 82f4ae80360792467e90af85e78fecad.exe 98 PID 4464 wrote to memory of 1232 4464 82f4ae80360792467e90af85e78fecad.exe 98 PID 4464 wrote to memory of 1232 4464 82f4ae80360792467e90af85e78fecad.exe 98 PID 1232 wrote to memory of 1664 1232 Synaptics.exe 103 PID 1232 wrote to memory of 1664 1232 Synaptics.exe 103 PID 1232 wrote to memory of 1664 1232 Synaptics.exe 103 PID 1232 wrote to memory of 1664 1232 Synaptics.exe 103 PID 1232 wrote to memory of 1664 1232 Synaptics.exe 103 PID 1232 wrote to memory of 1664 1232 Synaptics.exe 103 PID 1232 wrote to memory of 1664 1232 Synaptics.exe 103 PID 1232 wrote to memory of 1664 1232 Synaptics.exe 103 PID 1232 wrote to memory of 1664 1232 Synaptics.exe 103 PID 1232 wrote to memory of 1664 1232 Synaptics.exe 103 PID 1232 wrote to memory of 1664 1232 Synaptics.exe 103 PID 1664 wrote to memory of 1624 1664 Synaptics.exe 104 PID 1664 wrote to memory of 1624 1664 Synaptics.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe"C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe"C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe"2⤵PID:3400
-
-
C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe"C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\._cache_82f4ae80360792467e90af85e78fecad.exe"C:\Users\Admin\AppData\Local\Temp\._cache_82f4ae80360792467e90af85e78fecad.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4772
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4944
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216KB
MD5ed6e4e44214298d62933193037c55da7
SHA1cfc0e652990ee978f493fe089e419e0d3848269b
SHA25626e9d47cb85cd57e4a69e0178dd84f61eef39f129a7d9c670d228bd9f7aab0cd
SHA512db06d08ee7a6f5b6573710f1fe58e8286f8759c2f0f3bd057558535f012ab24802df259264c2e4f121bd481bbf74299e77ef7bbe415d85fdfcf139a051fb7753
-
Filesize
176KB
MD58b4151919630ef4f1053da82cb8f1f18
SHA1e6df53173d483e42b9e9c0c9d701fce276d98c05
SHA256f67eab8df26386310b0cb24772603e1708b741ea8d48d2902e0fc38e304af5af
SHA512f69f8802418df0c31cbde97fbbcdd1c5695b20ffc4ad0f3ae4c02bc85152857582736c2f9bc8c2cbe0e05d5b31aec396901b4999ac6904d44ce36235885b44df
-
Filesize
1.2MB
MD582f4ae80360792467e90af85e78fecad
SHA11c6c2801823fe1287638dc309661ff0a75f87623
SHA2567bc5eb4d7e5f4a51cc18540b9ed86a607ccf9979d1d19dbfd94335c8b57c70f0
SHA512ed428169ebc0293b917a53e59129e5f746eb3ef99bd485d6575d7d15fabd2557e40592aa5c8773ff85540f1c37745f464a9a6cdb1f6af19810e7cc2a8e0d91e6
-
Filesize
191KB
MD5af85a906922b7330b5fe5da550dba49d
SHA1335a69a9c9567306d3670bd5909849ea0b7cddd0
SHA256f948f1703b91b66b6c6915303cfc3914526801b14e08b41e88dbff0de751e87a
SHA512e3a0431366e14f18bdb64bbdb28c8b9336e7c074ec01b0375497e876db379d2a174b12b9921b3653e8aee395fae232d8d2a6be4e91c975fc1aeff7e98a731089
-
Filesize
121KB
MD521cbcd7e0dbd6eeb8eec1200ef03c974
SHA190935710302cca3d5a5c73d5e6d7c88c7cd82331
SHA2567785ce1ba96c1fcb4c4c54205b5a989bf9652b62009ad7aadc8282d639d6e95b
SHA5126762dc75623a893d5c34edc6da72c9a2d2e94bf14fb2d482c8af87fd048b77e80e48e293cc6d08759316f71ec06e64483740d567a0a6e6df800d166bae40bb71
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04