Analysis
-
max time kernel
91s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/01/2024, 06:03
Static task
static1
Behavioral task
behavioral1
Sample
83a382ea65d6af24d5cae40e9f9001e4.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
83a382ea65d6af24d5cae40e9f9001e4.exe
Resource
win10v2004-20231215-en
General
-
Target
83a382ea65d6af24d5cae40e9f9001e4.exe
-
Size
1.2MB
-
MD5
83a382ea65d6af24d5cae40e9f9001e4
-
SHA1
176c4f6fa0eefa67c58699a723b6f7c7260ce33f
-
SHA256
bd9fc23a41c4112c346a69c0a750405ff5590c1e5e7b6851eeeb6eda5a0743b6
-
SHA512
9d303b51e87f160a8bf0aa2ee6bd36d7b169d52b1814a5e52cea9b7aea2789a2ec8a254c438202eb7078f07d1925073615738712cf69996e047ed431e01e7e13
-
SSDEEP
24576:NuPX76DOUfx8Dgyfx8Dg6SniEXxklHpi9QV6AbwDZ5SL:QX76d58Dgy58Dg6VuQV6xZA
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.ccmainoffice.com - Port:
587 - Username:
[email protected] - Password:
QAZqaz123@ - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
resource yara_rule behavioral2/memory/1300-12-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 34 checkip.dyndns.org 36 freegeoip.app 37 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2064 set thread context of 1300 2064 83a382ea65d6af24d5cae40e9f9001e4.exe 95 -
Program crash 1 IoCs
pid pid_target Process procid_target 4440 1300 WerFault.exe 95 -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2064 83a382ea65d6af24d5cae40e9f9001e4.exe 2064 83a382ea65d6af24d5cae40e9f9001e4.exe 2064 83a382ea65d6af24d5cae40e9f9001e4.exe 2064 83a382ea65d6af24d5cae40e9f9001e4.exe 2064 83a382ea65d6af24d5cae40e9f9001e4.exe 2064 83a382ea65d6af24d5cae40e9f9001e4.exe 2064 83a382ea65d6af24d5cae40e9f9001e4.exe 2064 83a382ea65d6af24d5cae40e9f9001e4.exe 2064 83a382ea65d6af24d5cae40e9f9001e4.exe 1300 83a382ea65d6af24d5cae40e9f9001e4.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2064 83a382ea65d6af24d5cae40e9f9001e4.exe Token: SeDebugPrivilege 1300 83a382ea65d6af24d5cae40e9f9001e4.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2064 wrote to memory of 1120 2064 83a382ea65d6af24d5cae40e9f9001e4.exe 91 PID 2064 wrote to memory of 1120 2064 83a382ea65d6af24d5cae40e9f9001e4.exe 91 PID 2064 wrote to memory of 1120 2064 83a382ea65d6af24d5cae40e9f9001e4.exe 91 PID 2064 wrote to memory of 3952 2064 83a382ea65d6af24d5cae40e9f9001e4.exe 92 PID 2064 wrote to memory of 3952 2064 83a382ea65d6af24d5cae40e9f9001e4.exe 92 PID 2064 wrote to memory of 3952 2064 83a382ea65d6af24d5cae40e9f9001e4.exe 92 PID 2064 wrote to memory of 4900 2064 83a382ea65d6af24d5cae40e9f9001e4.exe 93 PID 2064 wrote to memory of 4900 2064 83a382ea65d6af24d5cae40e9f9001e4.exe 93 PID 2064 wrote to memory of 4900 2064 83a382ea65d6af24d5cae40e9f9001e4.exe 93 PID 2064 wrote to memory of 5060 2064 83a382ea65d6af24d5cae40e9f9001e4.exe 94 PID 2064 wrote to memory of 5060 2064 83a382ea65d6af24d5cae40e9f9001e4.exe 94 PID 2064 wrote to memory of 5060 2064 83a382ea65d6af24d5cae40e9f9001e4.exe 94 PID 2064 wrote to memory of 1300 2064 83a382ea65d6af24d5cae40e9f9001e4.exe 95 PID 2064 wrote to memory of 1300 2064 83a382ea65d6af24d5cae40e9f9001e4.exe 95 PID 2064 wrote to memory of 1300 2064 83a382ea65d6af24d5cae40e9f9001e4.exe 95 PID 2064 wrote to memory of 1300 2064 83a382ea65d6af24d5cae40e9f9001e4.exe 95 PID 2064 wrote to memory of 1300 2064 83a382ea65d6af24d5cae40e9f9001e4.exe 95 PID 2064 wrote to memory of 1300 2064 83a382ea65d6af24d5cae40e9f9001e4.exe 95 PID 2064 wrote to memory of 1300 2064 83a382ea65d6af24d5cae40e9f9001e4.exe 95 PID 2064 wrote to memory of 1300 2064 83a382ea65d6af24d5cae40e9f9001e4.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\83a382ea65d6af24d5cae40e9f9001e4.exe"C:\Users\Admin\AppData\Local\Temp\83a382ea65d6af24d5cae40e9f9001e4.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Users\Admin\AppData\Local\Temp\83a382ea65d6af24d5cae40e9f9001e4.exe"C:\Users\Admin\AppData\Local\Temp\83a382ea65d6af24d5cae40e9f9001e4.exe"2⤵PID:1120
-
-
C:\Users\Admin\AppData\Local\Temp\83a382ea65d6af24d5cae40e9f9001e4.exe"C:\Users\Admin\AppData\Local\Temp\83a382ea65d6af24d5cae40e9f9001e4.exe"2⤵PID:3952
-
-
C:\Users\Admin\AppData\Local\Temp\83a382ea65d6af24d5cae40e9f9001e4.exe"C:\Users\Admin\AppData\Local\Temp\83a382ea65d6af24d5cae40e9f9001e4.exe"2⤵PID:4900
-
-
C:\Users\Admin\AppData\Local\Temp\83a382ea65d6af24d5cae40e9f9001e4.exe"C:\Users\Admin\AppData\Local\Temp\83a382ea65d6af24d5cae40e9f9001e4.exe"2⤵PID:5060
-
-
C:\Users\Admin\AppData\Local\Temp\83a382ea65d6af24d5cae40e9f9001e4.exe"C:\Users\Admin\AppData\Local\Temp\83a382ea65d6af24d5cae40e9f9001e4.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 18083⤵
- Program crash
PID:4440
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1300 -ip 13001⤵PID:1580
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\83a382ea65d6af24d5cae40e9f9001e4.exe.log
Filesize1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3