Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 01:07
Static task
static1
Behavioral task
behavioral1
Sample
11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe
Resource
win10v2004-20240508-en
General
-
Target
11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe
-
Size
599KB
-
MD5
3163a6168fc16f3641c22d3a8e9d75bd
-
SHA1
b0c467c47e91d23cf21f400af048f91bc25aa9a8
-
SHA256
11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345
-
SHA512
7eafd23dadab35d668f06ce27e221250f01fd559095ef328e89dade2a76de8a07406c92cfc544ea8e0ab153e9d84ac293b4c032ac79e3ba6ce7d4d17dcfb25d6
-
SSDEEP
12288:oJXiAEfDZqLo4Ms/5Waw8FqRxfmngADi69JGi+G5iphWbKhKMkKDO:ARE7ZYo4Mq5Wb8Fsx+ngIx3AVhWbKGKO
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.speedhouseoman.com - Port:
587 - Username:
[email protected] - Password:
SpH@0084
https://scratchdreams.tk
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2640-20-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2640-25-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2640-24-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2640-23-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2640-18-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2640-20-0x0000000000400000-0x0000000000426000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2640-25-0x0000000000400000-0x0000000000426000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2640-24-0x0000000000400000-0x0000000000426000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2640-23-0x0000000000400000-0x0000000000426000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2640-18-0x0000000000400000-0x0000000000426000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables packed with SmartAssembly 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1728-3-0x0000000000500000-0x000000000051C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly -
Detects executables referencing many email and collaboration clients. Observed in information stealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2640-20-0x0000000000400000-0x0000000000426000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2640-25-0x0000000000400000-0x0000000000426000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2640-24-0x0000000000400000-0x0000000000426000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2640-23-0x0000000000400000-0x0000000000426000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2640-18-0x0000000000400000-0x0000000000426000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables with potential process hoocking 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2640-20-0x0000000000400000-0x0000000000426000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DotNetProcHook behavioral1/memory/2640-25-0x0000000000400000-0x0000000000426000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DotNetProcHook behavioral1/memory/2640-24-0x0000000000400000-0x0000000000426000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DotNetProcHook behavioral1/memory/2640-23-0x0000000000400000-0x0000000000426000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DotNetProcHook behavioral1/memory/2640-18-0x0000000000400000-0x0000000000426000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DotNetProcHook -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exedescription pid process target process PID 1728 set thread context of 2640 1728 11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe 11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2972 2640 WerFault.exe 11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exepowershell.exepid process 2640 11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe 2532 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exepowershell.exedescription pid process Token: SeDebugPrivilege 2640 11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe Token: SeDebugPrivilege 2532 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exedescription pid process target process PID 1728 wrote to memory of 2532 1728 11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe powershell.exe PID 1728 wrote to memory of 2532 1728 11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe powershell.exe PID 1728 wrote to memory of 2532 1728 11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe powershell.exe PID 1728 wrote to memory of 2532 1728 11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe powershell.exe PID 1728 wrote to memory of 2612 1728 11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe schtasks.exe PID 1728 wrote to memory of 2612 1728 11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe schtasks.exe PID 1728 wrote to memory of 2612 1728 11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe schtasks.exe PID 1728 wrote to memory of 2612 1728 11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe schtasks.exe PID 1728 wrote to memory of 2640 1728 11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe 11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe PID 1728 wrote to memory of 2640 1728 11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe 11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe PID 1728 wrote to memory of 2640 1728 11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe 11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe PID 1728 wrote to memory of 2640 1728 11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe 11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe PID 1728 wrote to memory of 2640 1728 11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe 11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe PID 1728 wrote to memory of 2640 1728 11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe 11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe PID 1728 wrote to memory of 2640 1728 11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe 11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe PID 1728 wrote to memory of 2640 1728 11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe 11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe PID 1728 wrote to memory of 2640 1728 11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe 11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe PID 2640 wrote to memory of 2972 2640 11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe WerFault.exe PID 2640 wrote to memory of 2972 2640 11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe WerFault.exe PID 2640 wrote to memory of 2972 2640 11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe WerFault.exe PID 2640 wrote to memory of 2972 2640 11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe"C:\Users\Admin\AppData\Local\Temp\11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aUTPqHudKfqQl.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aUTPqHudKfqQl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5283.tmp"2⤵
- Creates scheduled task(s)
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe"C:\Users\Admin\AppData\Local\Temp\11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 10963⤵
- Program crash
PID:2972
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5806e3cbf1f0744e875a55eb8377a841c
SHA1d85f0d6cdeeda4e73abc079cfedac58a634c649f
SHA256f565f073d8ded03616378138e03f964ea1d1e872b6e78b551e29f3091519e107
SHA5125f891423662382fb028d14dcd03a9dacdc924034221196a3007296213b73d721be56465f68aa8fcbeb69509f33354cce9b138a199306dcad35d25bbb196988f5