Overview

overview

10

Static

static

3

7161d933e8...04.exe

windows7-x64

10

7161d933e8...04.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-04-2024 14:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe

  • Size

    333KB

  • MD5

    b9d77c2410b5808b0e703395bb2907b7

  • SHA1

    32e61029b0c3c25c56d5862068a3410a30a7670f

  • SHA256

    7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04

  • SHA512

    c9c9110c22efd1c246f289396cc00c2e2cccef97e37914a73430fa08b7ea6e8b94b61c602ea82fde28e0e956894c01fbc44d9c105902684ac5b4b83bb3388614

  • SSDEEP

    6144:mTyLMh4wMzywrWIq/2K7SBBMIARmCmwOE7bjVPJcfsduGAnx:LLMSewr9hBSRmp6BPJU7GAx

Score
10/10
snakekeyloggerkeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

C2

http://varders.kozow.com:8081

http://aborters.duckdns.org:8081

http://anotherarmy.dns.army:8081

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe
    "C:\Users\Admin\AppData\Local\Temp\7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4732
    • C:\Users\Admin\AppData\Local\Temp\7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe
      "C:\Users\Admin\AppData\Local\Temp\7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe"
      2⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3820
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2036
        • C:\Windows\SysWOW64\choice.exe
          choice /C Y /N /D Y /T 3
          4⤵
            PID:2432

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe.log
      Filesize

      706B

      MD5

      2ef5ef69dadb8865b3d5b58c956077b8

      SHA1

      af2d869bac00685c745652bbd8b3fe82829a8998

      SHA256

      363502eb2a4e53ba02d2d85412b901fcf8e06de221736bdffa949799ef3d21e3

      SHA512

      66d4db5dd17d88e1d54ea0df3a7211a503dc4355de701259cefccc9f2e4e3ced9534b700099ffbb089a5a3acb082011c80b61801aa14aff76b379ce8f90d4fd3

      Download Submit
    • memory/3820-8-0x0000000000400000-0x000000000041C000-memory.dmp
      Filesize

      112KB

      Download
    • memory/3820-14-0x0000000074E70000-0x0000000075620000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3820-13-0x00000000052F0000-0x0000000005300000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3820-12-0x0000000074E70000-0x0000000075620000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4732-3-0x0000000005250000-0x00000000052E2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4732-6-0x0000000005440000-0x00000000054DC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/4732-7-0x0000000005360000-0x0000000005368000-memory.dmp
      Filesize

      32KB

      Download
    • memory/4732-5-0x0000000005430000-0x0000000005440000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4732-4-0x00000000052F0000-0x000000000533A000-memory.dmp
      Filesize

      296KB

      Download
    • memory/4732-1-0x0000000074E70000-0x0000000075620000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4732-11-0x0000000074E70000-0x0000000075620000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4732-2-0x0000000005800000-0x0000000005DA4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4732-0-0x00000000007F0000-0x000000000084A000-memory.dmp
      Filesize

      360KB

      Download