snakekeylogger | cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e

General

Target

cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe
Size

979KB
MD5

9acdf190d911622ddf291d009bbfc43d
SHA1

0bc2ca1851c17cdef12194a9e9a61fc37c7f1532
SHA256

cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e
SHA512

38dc41d16603917c69095076652af0fb8c88e3b34a4d458db7c14f9df30011132d533787b6f2ee413bc323443cff617c19666caeab95590bc7fface8204c13cc
SSDEEP

12288:CRLIA/zRcb5HkSGG60AEyUpiHRb9Jx6ZBkZkHni5Z+CxDIhUIYJyGMXD:CRLIGcb5/O9oixbIkZI2I6AGMXD

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://scratchdreams.tk

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1632-29-0x0000000140000000-0x0000000140024000-memory.dmp	family_snakekeylogger
behavioral1/memory/1632-34-0x0000000140000000-0x0000000140024000-memory.dmp	family_snakekeylogger

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1632-29-0x0000000140000000-0x0000000140024000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/1632-34-0x0000000140000000-0x0000000140024000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1632-29-0x0000000140000000-0x0000000140024000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/1632-34-0x0000000140000000-0x0000000140024000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Detects executables with potential process hoocking 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1632-29-0x0000000140000000-0x0000000140024000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
behavioral1/memory/1632-34-0x0000000140000000-0x0000000140024000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

Suspicious use of SetThreadContext 1 IoCs

Processes:

cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe

description	pid	process	target process
PID 2304 set thread context of 1632	2304	cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe	cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2344 schtasks.exe

pid	process
2344	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exepowershell.exepowershell.exe

pid	process
2304	cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe
2304	cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe
2304	cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe
2304	cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe
2304	cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe
2304	cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe
2596	powershell.exe
2380	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2304	cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe

description	pid	process	target process
PID 2304 wrote to memory of 2596	2304	cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe	powershell.exe
PID 2304 wrote to memory of 2596	2304	cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe	powershell.exe
PID 2304 wrote to memory of 2596	2304	cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe	powershell.exe
PID 2304 wrote to memory of 2380	2304	cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe	powershell.exe
PID 2304 wrote to memory of 2380	2304	cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe	powershell.exe
PID 2304 wrote to memory of 2380	2304	cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe	powershell.exe
PID 2304 wrote to memory of 2344	2304	cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe	schtasks.exe
PID 2304 wrote to memory of 2344	2304	cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe	schtasks.exe
PID 2304 wrote to memory of 2344	2304	cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe	schtasks.exe
PID 2304 wrote to memory of 1632	2304	cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe	cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe
PID 2304 wrote to memory of 1632	2304	cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe	cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe
PID 2304 wrote to memory of 1632	2304	cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe	cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe
PID 2304 wrote to memory of 1632	2304	cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe	cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe
PID 2304 wrote to memory of 1632	2304	cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe	cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe
PID 2304 wrote to memory of 1632	2304	cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe	cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe
PID 2304 wrote to memory of 1632	2304	cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe	cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe
"C:\Users\Admin\AppData\Local\Temp\cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fTtNVWzGzI.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2380
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fTtNVWzGzI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7DD.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2344
- C:\Users\Admin\AppData\Local\Temp\cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe
  C:\Users\Admin\AppData\Local\Temp\cc29764f5e01f950b0db52e5caac83b448fda9e7defacf1a9a19a7e4aa96757e.exe
  2⤵
  PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7DD.tmp

Filesize
1KB

MD5
9c5d67263ba66e2ef79eba7f68dd5585

SHA1
0ee3b4e80fe5f997ed2d8a9ff05a2ce173edc271

SHA256
4acffd4213c08f71cc5bd44c1a7e0923bea5b0dc1de3b685428d893256b6d379

SHA512
604868ff87b5ecc94af01f69f575ccf1da19450fb646286165ab38f9ee5be5b104542bf3e59eb41702852155899501188664aa70967af6463fe6291cf2d5564b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
556ca0d70da5ef2c527492986217268e

SHA1
5d5ae28ce2beeb65553e2a06d35780307749d89d

SHA256
67717f2dc1e75cc7e8ea2467fb7485d910a1d8b4a045ac217a1c0c8c53a0372c

SHA512
1d7dde072b45df95a5c493630310d3373674025a328f8d0527640b91a6a082c3af1bc46456752b9288a54de04253cc336055508da37d1e0dfa8ab803915f14a6

Download Submit
memory/1632-40-0x000000013FFF0000-0x000000013FFF0000-memory.dmp

Download
memory/1632-34-0x0000000140000000-0x0000000140024000-memory.dmp

Filesize
144KB

Download
memory/1632-29-0x0000000140000000-0x0000000140024000-memory.dmp

Filesize
144KB

Download
memory/1632-27-0x0000000140000000-0x0000000140024000-memory.dmp

Filesize
144KB

Download
memory/1632-25-0x0000000140000000-0x0000000140024000-memory.dmp

Filesize
144KB

Download
memory/1632-43-0x000007FEF5740000-0x000007FEF612C000-memory.dmp

Filesize
9.9MB

Download
memory/1632-32-0x000007FFFFFDB000-0x000007FFFFFDC000-memory.dmp

Filesize
4KB

Download
memory/2304-4-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/2304-8-0x000000001BDB0000-0x000000001BE30000-memory.dmp

Filesize
512KB

Download
memory/2304-7-0x000007FEF5740000-0x000007FEF612C000-memory.dmp

Filesize
9.9MB

Download
memory/2304-6-0x000000001B830000-0x000000001B8A8000-memory.dmp

Filesize
480KB

Download
memory/2304-5-0x00000000005E0000-0x00000000005F0000-memory.dmp

Filesize
64KB

Download
memory/2304-38-0x000007FEF5740000-0x000007FEF612C000-memory.dmp

Filesize
9.9MB

Download
memory/2304-3-0x00000000005B0000-0x00000000005CA000-memory.dmp

Filesize
104KB

Download
memory/2304-0-0x000000013FFF0000-0x00000001400E8000-memory.dmp

Filesize
992KB

Download
memory/2304-2-0x000000001BDB0000-0x000000001BE30000-memory.dmp

Filesize
512KB

Download
memory/2304-1-0x000007FEF5740000-0x000007FEF612C000-memory.dmp

Filesize
9.9MB

Download
memory/2380-45-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2380-42-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2380-41-0x000007FEEF030000-0x000007FEEF9CD000-memory.dmp

Filesize
9.6MB

Download
memory/2380-51-0x000007FEEF030000-0x000007FEEF9CD000-memory.dmp

Filesize
9.6MB

Download
memory/2380-44-0x000007FEEF030000-0x000007FEEF9CD000-memory.dmp

Filesize
9.6MB

Download
memory/2380-49-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2380-46-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2596-35-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/2596-23-0x000000001B2B0000-0x000000001B592000-memory.dmp

Filesize
2.9MB

Download
memory/2596-24-0x0000000001F30000-0x0000000001F38000-memory.dmp

Filesize
32KB

Download
memory/2596-47-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/2596-31-0x000007FEEF030000-0x000007FEEF9CD000-memory.dmp

Filesize
9.6MB

Download
memory/2596-50-0x000007FEEF030000-0x000007FEEF9CD000-memory.dmp

Filesize
9.6MB

Download
memory/2596-39-0x000007FEEF030000-0x000007FEEF9CD000-memory.dmp

Filesize
9.6MB

Download
memory/2596-48-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads