Analysis
-
max time kernel
168s -
max time network
198s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
17-04-2024 14:28
General
-
Target
0a502f2e9bc9853efab9088f64a1082edb24ccab2800c1f072cc8c453e552203.exe
-
Size
552KB
-
MD5
8372c6e789284d2e07aa36d67b51b1c8
-
SHA1
027f8b31345997a519cdcb505a40fabc0d7cfa9b
-
SHA256
0a502f2e9bc9853efab9088f64a1082edb24ccab2800c1f072cc8c453e552203
-
SHA512
eab39b7596149c1c2832106fd1a0c749213883e996372ad80dbc71d6b9eb62c6557c833f0783f88f76fc15536c6f6295f782a23323c2a027e7d153276b88161b
-
SSDEEP
12288:VxEd6VdEMiYfrUM74aWr7m9a1mso4QCRxuZp6NNNWeRX9:VxcuddrbzWrfqCjoYNN0eRX
Malware Config
Extracted
snakekeylogger
http://varders.kozow.com:8081
http://aborters.duckdns.org:8081
http://anotherarmy.dns.army:8081
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a502f2e9bc9853efab9088f64a1082edb24ccab2800c1f072cc8c453e552203.exe"C:\Users\Admin\AppData\Local\Temp\0a502f2e9bc9853efab9088f64a1082edb24ccab2800c1f072cc8c453e552203.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/208-13-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/208-19-0x0000000005140000-0x0000000005150000-memory.dmpFilesize
64KB
-
memory/208-18-0x0000000074E40000-0x00000000755F0000-memory.dmpFilesize
7.7MB
-
memory/208-17-0x0000000005140000-0x0000000005150000-memory.dmpFilesize
64KB
-
memory/208-15-0x0000000074E40000-0x00000000755F0000-memory.dmpFilesize
7.7MB
-
memory/2804-8-0x0000000005630000-0x0000000005640000-memory.dmpFilesize
64KB
-
memory/2804-12-0x0000000008090000-0x000000000812C000-memory.dmpFilesize
624KB
-
memory/2804-7-0x0000000074E40000-0x00000000755F0000-memory.dmpFilesize
7.7MB
-
memory/2804-1-0x0000000074E40000-0x00000000755F0000-memory.dmpFilesize
7.7MB
-
memory/2804-9-0x0000000005D10000-0x0000000005D1A000-memory.dmpFilesize
40KB
-
memory/2804-10-0x0000000006BF0000-0x0000000006BFE000-memory.dmpFilesize
56KB
-
memory/2804-11-0x0000000006C20000-0x0000000006C8E000-memory.dmpFilesize
440KB
-
memory/2804-6-0x0000000005910000-0x0000000005924000-memory.dmpFilesize
80KB
-
memory/2804-5-0x0000000005860000-0x000000000586A000-memory.dmpFilesize
40KB
-
memory/2804-4-0x0000000005630000-0x0000000005640000-memory.dmpFilesize
64KB
-
memory/2804-16-0x0000000074E40000-0x00000000755F0000-memory.dmpFilesize
7.7MB
-
memory/2804-3-0x0000000005690000-0x0000000005722000-memory.dmpFilesize
584KB
-
memory/2804-2-0x0000000005D20000-0x00000000062C4000-memory.dmpFilesize
5.6MB
-
memory/2804-0-0x0000000000C30000-0x0000000000CC0000-memory.dmpFilesize
576KB