snakekeylogger | e3364410363952f872fec3e73a9cd7945aa1d25b5b2fcb137b4cc57d33452f4f

Analysis

max time kernel
121s
max time network
129s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-04-2024 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe
Size

725KB
MD5

4b0a935fbc037ea00bf17468d4cf5b85
SHA1

169cd19c1d29bebd2c7fe5a8de25b1429f8f2aed
SHA256

0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea
SHA512

0bee469d0188505772af1fd9af4a6710c201475340045b97024102a63aaba14f940e6ee36d118d338e836b4ee7ba03387001ce81724c4f4433123f5b9d83dd4f
SSDEEP

12288:w6Wq4aaE6KwyF5L0Y2D1PqL5C38Lua13KVsrOQW60Ztsmhv3:GthEVaPqL58F2rBjmB3

Score

10^/10

snakekeylogger collection keylogger stealer upx

Malware Config

Extracted

Family

snakekeylogger

https://scratchdreams.tk

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 33 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2568-41-0x0000000000450000-0x000000000048A000-memory.dmp	family_snakekeylogger
behavioral1/memory/2568-43-0x0000000000B10000-0x0000000000B48000-memory.dmp	family_snakekeylogger
behavioral1/memory/2568-44-0x0000000000B10000-0x0000000000B43000-memory.dmp	family_snakekeylogger
behavioral1/memory/2568-45-0x0000000000B10000-0x0000000000B43000-memory.dmp	family_snakekeylogger
behavioral1/memory/2568-49-0x0000000000B10000-0x0000000000B43000-memory.dmp	family_snakekeylogger
behavioral1/memory/2568-51-0x0000000000B10000-0x0000000000B43000-memory.dmp	family_snakekeylogger
behavioral1/memory/2568-53-0x0000000000B10000-0x0000000000B43000-memory.dmp	family_snakekeylogger
behavioral1/memory/2568-59-0x0000000000B10000-0x0000000000B43000-memory.dmp	family_snakekeylogger
behavioral1/memory/2568-61-0x0000000000B10000-0x0000000000B43000-memory.dmp	family_snakekeylogger
behavioral1/memory/2568-63-0x0000000000B10000-0x0000000000B43000-memory.dmp	family_snakekeylogger
behavioral1/memory/2568-65-0x0000000000B10000-0x0000000000B43000-memory.dmp	family_snakekeylogger
behavioral1/memory/2568-67-0x0000000000B10000-0x0000000000B43000-memory.dmp	family_snakekeylogger
behavioral1/memory/2568-69-0x0000000000B10000-0x0000000000B43000-memory.dmp	family_snakekeylogger
behavioral1/memory/2568-75-0x0000000000B10000-0x0000000000B43000-memory.dmp	family_snakekeylogger
behavioral1/memory/2568-73-0x0000000000B10000-0x0000000000B43000-memory.dmp	family_snakekeylogger
behavioral1/memory/2568-77-0x0000000000B10000-0x0000000000B43000-memory.dmp	family_snakekeylogger
behavioral1/memory/2568-79-0x0000000000B10000-0x0000000000B43000-memory.dmp	family_snakekeylogger
behavioral1/memory/2568-81-0x0000000000B10000-0x0000000000B43000-memory.dmp	family_snakekeylogger
behavioral1/memory/2568-83-0x0000000000B10000-0x0000000000B43000-memory.dmp	family_snakekeylogger
behavioral1/memory/2568-87-0x0000000000B10000-0x0000000000B43000-memory.dmp	family_snakekeylogger
behavioral1/memory/2568-89-0x0000000000B10000-0x0000000000B43000-memory.dmp	family_snakekeylogger
behavioral1/memory/2568-91-0x0000000000B10000-0x0000000000B43000-memory.dmp	family_snakekeylogger
behavioral1/memory/2568-95-0x0000000000B10000-0x0000000000B43000-memory.dmp	family_snakekeylogger
behavioral1/memory/2568-99-0x0000000000B10000-0x0000000000B43000-memory.dmp	family_snakekeylogger
behavioral1/memory/2568-101-0x0000000000B10000-0x0000000000B43000-memory.dmp	family_snakekeylogger
behavioral1/memory/2568-97-0x0000000000B10000-0x0000000000B43000-memory.dmp	family_snakekeylogger
behavioral1/memory/2568-93-0x0000000000B10000-0x0000000000B43000-memory.dmp	family_snakekeylogger
behavioral1/memory/2568-85-0x0000000000B10000-0x0000000000B43000-memory.dmp	family_snakekeylogger
behavioral1/memory/2568-71-0x0000000000B10000-0x0000000000B43000-memory.dmp	family_snakekeylogger
behavioral1/memory/2568-57-0x0000000000B10000-0x0000000000B43000-memory.dmp	family_snakekeylogger
behavioral1/memory/2568-55-0x0000000000B10000-0x0000000000B43000-memory.dmp	family_snakekeylogger
behavioral1/memory/2568-47-0x0000000000B10000-0x0000000000B43000-memory.dmp	family_snakekeylogger
behavioral1/memory/2568-635-0x0000000004CF0000-0x0000000004D30000-memory.dmp	family_snakekeylogger

Drops startup file 1 IoCs

Processes:

harrowment.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harrowment.vbs harrowment.exe
Executes dropped EXE 1 IoCs

Processes:

harrowment.exe

pid process

2588 harrowment.exe
Loads dropped DLL 1 IoCs

Processes:

0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe

pid process

1732 0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harrowment.vbs	harrowment.exe

pid	process
2588	harrowment.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1732-0-0x0000000000400000-0x0000000000518000-memory.dmp	upx
\Users\Admin\AppData\Local\Dunlop\harrowment.exe	upx
behavioral1/memory/1732-15-0x0000000003A20000-0x0000000003B38000-memory.dmp	upx
behavioral1/memory/1732-18-0x0000000000400000-0x0000000000518000-memory.dmp	upx
behavioral1/memory/2588-19-0x0000000000400000-0x0000000000518000-memory.dmp	upx
behavioral1/memory/2588-36-0x0000000000400000-0x0000000000518000-memory.dmp	upx

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org

flow	ioc
4	checkip.dyndns.org

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1732-18-0x0000000000400000-0x0000000000518000-memory.dmp	autoit_exe
behavioral1/memory/2588-36-0x0000000000400000-0x0000000000518000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

harrowment.exe

description pid process target process

PID 2588 set thread context of 2568 2588 harrowment.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

2568 RegSvcs.exe
2568 RegSvcs.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

harrowment.exe

pid process

2588 harrowment.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 2568 RegSvcs.exe

description	pid	process	target process
PID 2588 set thread context of 2568	2588	harrowment.exe	RegSvcs.exe

pid	process
2568	RegSvcs.exe
2568	RegSvcs.exe

pid	process
2588	harrowment.exe

description	pid	process
Token: SeDebugPrivilege	2568	RegSvcs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exeharrowment.exe

pid	process
1732	0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe
1732	0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe
2588	harrowment.exe
2588	harrowment.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exeharrowment.exe

pid	process
1732	0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe
1732	0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe
2588	harrowment.exe
2588	harrowment.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exeharrowment.exe

description	pid	process	target process
PID 1732 wrote to memory of 2588	1732	0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe	harrowment.exe
PID 1732 wrote to memory of 2588	1732	0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe	harrowment.exe
PID 1732 wrote to memory of 2588	1732	0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe	harrowment.exe
PID 1732 wrote to memory of 2588	1732	0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe	harrowment.exe
PID 2588 wrote to memory of 2568	2588	harrowment.exe	RegSvcs.exe
PID 2588 wrote to memory of 2568	2588	harrowment.exe	RegSvcs.exe
PID 2588 wrote to memory of 2568	2588	harrowment.exe	RegSvcs.exe
PID 2588 wrote to memory of 2568	2588	harrowment.exe	RegSvcs.exe
PID 2588 wrote to memory of 2568	2588	harrowment.exe	RegSvcs.exe
PID 2588 wrote to memory of 2568	2588	harrowment.exe	RegSvcs.exe
PID 2588 wrote to memory of 2568	2588	harrowment.exe	RegSvcs.exe
PID 2588 wrote to memory of 2568	2588	harrowment.exe	RegSvcs.exe

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe
"C:\Users\Admin\AppData\Local\Temp\0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Dunlop\harrowment.exe
  "C:\Users\Admin\AppData\Local\Temp\0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe"
    3⤵
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\leucoryx

Filesize
224KB

MD5
2b78e824fa3a6f57ea84ac22caf7d227

SHA1
d7c60208f467cfaeb204ccfbeaceaa31f9c599d1

SHA256
e812de2b4ebe67e85dd9eb6ec0463697a86b591ed6ee703f650e198088630400

SHA512
3e9cc6510ba5004bb3b492e735a7749c8e7424dd32446890e1a9883d704363715fdf8a855bd9081b92a96225c8292ce3522eeef5b5889633af73b1cd98795b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\poufs

Filesize
29KB

MD5
1097db4d33401c96c8c311d3f86e915e

SHA1
c7569551684b84b0a3c5ca8e64bdc4bd75452b2f

SHA256
c582dc1cc0ef4806de99dc2c9682f3f59ff42ab54c06d7f1c307cf1818cdfcb5

SHA512
3172c4601b57cad15487c69746ac79396838e5af2d1da814636277fd1b8385af7477d1add982d9e57cffd5314d3ecc0324a7428ddd15bd4e21e8d2ac6ae3ee78

Download Submit
\Users\Admin\AppData\Local\Dunlop\harrowment.exe

Filesize
100.7MB

MD5
ec9f326c6720ce376d4a553bac295cb5

SHA1
5d02d800d2629514a18eadd4232096d74ec2df4d

SHA256
e0c37bccc29ef73a54ec8f2d2939ea6a311de8bd98e7a23f0ce008d6a8ed8540

SHA512
dc16b2009fdc2fcfdd924b616ec91cbf18565180a76430e292dfd6cf49883eb09503960305f655d9c16ed536e0d62df2b4887f17c62ed0ca8a6df7398153209f

Download Submit
memory/1732-0-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/1732-11-0x00000000001D0000-0x00000000001D4000-memory.dmp

Filesize
16KB

Download
memory/1732-15-0x0000000003A20000-0x0000000003B38000-memory.dmp

Filesize
1.1MB

Download
memory/1732-18-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2568-67-0x0000000000B10000-0x0000000000B43000-memory.dmp

Filesize
204KB

Download
memory/2568-77-0x0000000000B10000-0x0000000000B43000-memory.dmp

Filesize
204KB

Download
memory/2568-38-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2568-39-0x0000000074640000-0x0000000074D2E000-memory.dmp

Filesize
6.9MB

Download
memory/2568-40-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Filesize
256KB

Download
memory/2568-41-0x0000000000450000-0x000000000048A000-memory.dmp

Filesize
232KB

Download
memory/2568-42-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Filesize
256KB

Download
memory/2568-43-0x0000000000B10000-0x0000000000B48000-memory.dmp

Filesize
224KB

Download
memory/2568-44-0x0000000000B10000-0x0000000000B43000-memory.dmp

Filesize
204KB

Download
memory/2568-45-0x0000000000B10000-0x0000000000B43000-memory.dmp

Filesize
204KB

Download
memory/2568-49-0x0000000000B10000-0x0000000000B43000-memory.dmp

Filesize
204KB

Download
memory/2568-51-0x0000000000B10000-0x0000000000B43000-memory.dmp

Filesize
204KB

Download
memory/2568-53-0x0000000000B10000-0x0000000000B43000-memory.dmp

Filesize
204KB

Download
memory/2568-59-0x0000000000B10000-0x0000000000B43000-memory.dmp

Filesize
204KB

Download
memory/2568-61-0x0000000000B10000-0x0000000000B43000-memory.dmp

Filesize
204KB

Download
memory/2568-63-0x0000000000B10000-0x0000000000B43000-memory.dmp

Filesize
204KB

Download
memory/2568-65-0x0000000000B10000-0x0000000000B43000-memory.dmp

Filesize
204KB

Download
memory/2568-34-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2568-69-0x0000000000B10000-0x0000000000B43000-memory.dmp

Filesize
204KB

Download
memory/2568-75-0x0000000000B10000-0x0000000000B43000-memory.dmp

Filesize
204KB

Download
memory/2568-73-0x0000000000B10000-0x0000000000B43000-memory.dmp

Filesize
204KB

Download
memory/2568-37-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2568-79-0x0000000000B10000-0x0000000000B43000-memory.dmp

Filesize
204KB

Download
memory/2568-81-0x0000000000B10000-0x0000000000B43000-memory.dmp

Filesize
204KB

Download
memory/2568-83-0x0000000000B10000-0x0000000000B43000-memory.dmp

Filesize
204KB

Download
memory/2568-87-0x0000000000B10000-0x0000000000B43000-memory.dmp

Filesize
204KB

Download
memory/2568-89-0x0000000000B10000-0x0000000000B43000-memory.dmp

Filesize
204KB

Download
memory/2568-91-0x0000000000B10000-0x0000000000B43000-memory.dmp

Filesize
204KB

Download
memory/2568-95-0x0000000000B10000-0x0000000000B43000-memory.dmp

Filesize
204KB

Download
memory/2568-99-0x0000000000B10000-0x0000000000B43000-memory.dmp

Filesize
204KB

Download
memory/2568-101-0x0000000000B10000-0x0000000000B43000-memory.dmp

Filesize
204KB

Download
memory/2568-97-0x0000000000B10000-0x0000000000B43000-memory.dmp

Filesize
204KB

Download
memory/2568-93-0x0000000000B10000-0x0000000000B43000-memory.dmp

Filesize
204KB

Download
memory/2568-85-0x0000000000B10000-0x0000000000B43000-memory.dmp

Filesize
204KB

Download
memory/2568-71-0x0000000000B10000-0x0000000000B43000-memory.dmp

Filesize
204KB

Download
memory/2568-57-0x0000000000B10000-0x0000000000B43000-memory.dmp

Filesize
204KB

Download
memory/2568-55-0x0000000000B10000-0x0000000000B43000-memory.dmp

Filesize
204KB

Download
memory/2568-47-0x0000000000B10000-0x0000000000B43000-memory.dmp

Filesize
204KB

Download
memory/2568-632-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Filesize
256KB

Download
memory/2568-633-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2568-634-0x0000000074640000-0x0000000074D2E000-memory.dmp

Filesize
6.9MB

Download
memory/2568-635-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Filesize
256KB

Download
memory/2588-19-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2588-36-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download