Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
17-04-2024 12:48
Behavioral task
behavioral1
Sample
461bcd6658a32970b9bd12d978229b8d3c8c1f4bdf00688db287b2b7ce6c880e.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
461bcd6658a32970b9bd12d978229b8d3c8c1f4bdf00688db287b2b7ce6c880e.exe
Resource
win10v2004-20240412-en
General
-
Target
461bcd6658a32970b9bd12d978229b8d3c8c1f4bdf00688db287b2b7ce6c880e.exe
-
Size
129KB
-
MD5
ccfdbf07643aed4c333fad91828e4a80
-
SHA1
ccb1efa6c2ef21eb912bfdabb9a6bccb374dc248
-
SHA256
461bcd6658a32970b9bd12d978229b8d3c8c1f4bdf00688db287b2b7ce6c880e
-
SHA512
c9bd1a9ac30e941eae5acf39cff6c6b0ac8a95e7bd0c656496851f15fcce345f4cf0371df6aad709c4f72845ad496291a70d9364572abdd8da0d7444f385b6c7
-
SSDEEP
3072:jeHgpwPUTi/GIRhvudmxG9OCAXGtsddlQbgkVcsQvwvxLob3mDbY:VpmNZMm7Lqbfcb30b
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.stpgig.com - Port:
587 - Username:
info@stpgig.com - Password:
Stpgig#Login21
https://scratchdreams.tk
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2112-0-0x000000013F8C0000-0x000000013F8E4000-memory.dmp family_snakekeylogger -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2168 cmd.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 checkip.dyndns.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
461bcd6658a32970b9bd12d978229b8d3c8c1f4bdf00688db287b2b7ce6c880e.exepid process 2112 461bcd6658a32970b9bd12d978229b8d3c8c1f4bdf00688db287b2b7ce6c880e.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
461bcd6658a32970b9bd12d978229b8d3c8c1f4bdf00688db287b2b7ce6c880e.exedescription pid process Token: SeDebugPrivilege 2112 461bcd6658a32970b9bd12d978229b8d3c8c1f4bdf00688db287b2b7ce6c880e.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
461bcd6658a32970b9bd12d978229b8d3c8c1f4bdf00688db287b2b7ce6c880e.execmd.exedescription pid process target process PID 2112 wrote to memory of 2168 2112 461bcd6658a32970b9bd12d978229b8d3c8c1f4bdf00688db287b2b7ce6c880e.exe cmd.exe PID 2112 wrote to memory of 2168 2112 461bcd6658a32970b9bd12d978229b8d3c8c1f4bdf00688db287b2b7ce6c880e.exe cmd.exe PID 2112 wrote to memory of 2168 2112 461bcd6658a32970b9bd12d978229b8d3c8c1f4bdf00688db287b2b7ce6c880e.exe cmd.exe PID 2168 wrote to memory of 2272 2168 cmd.exe choice.exe PID 2168 wrote to memory of 2272 2168 cmd.exe choice.exe PID 2168 wrote to memory of 2272 2168 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\461bcd6658a32970b9bd12d978229b8d3c8c1f4bdf00688db287b2b7ce6c880e.exe"C:\Users\Admin\AppData\Local\Temp\461bcd6658a32970b9bd12d978229b8d3c8c1f4bdf00688db287b2b7ce6c880e.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\461bcd6658a32970b9bd12d978229b8d3c8c1f4bdf00688db287b2b7ce6c880e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2112-0-0x000000013F8C0000-0x000000013F8E4000-memory.dmpFilesize
144KB
-
memory/2112-1-0x000007FEF54D0000-0x000007FEF5EBC000-memory.dmpFilesize
9.9MB
-
memory/2112-2-0x000000001AFC0000-0x000000001B040000-memory.dmpFilesize
512KB
-
memory/2112-3-0x000007FEF54D0000-0x000007FEF5EBC000-memory.dmpFilesize
9.9MB