Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
06/07/2024, 01:39
Static task
static1
Behavioral task
behavioral1
Sample
Payment Copy.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Payment Copy.exe
Resource
win10v2004-20240704-en
General
-
Target
Payment Copy.exe
-
Size
740KB
-
MD5
eb3d064d6075848f9477f4babd34ee6a
-
SHA1
168e2497e77fae7de19e89458b33acc32371d905
-
SHA256
6cfb5c2cba6ba8911866c3391977ab0c518c3154c749c5fea23a135488931e32
-
SHA512
c7a25725bc5c5737aa59528aa7a1a52d35effb4175cf3afac6a515e9be7cd3b6993e041c184ce03d1a588da6141b216f1a095817dea0adfbc2cbc9c6234fcfa0
-
SSDEEP
12288:gRtsaKRa5x6pZEZNr49YEtE63vRBksE3/Na+sxcgxmn52hREYuzlVr:7k5kLEZNXWZ3ZMhNn52YPR
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
smtp.innovativeenqg.co.in - Port:
25 - Username:
[email protected] - Password:
%OTz$v%9 - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
resource yara_rule behavioral2/memory/824-7-0x0000000140000000-0x0000000140024000-memory.dmp family_snakekeylogger -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 15 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2588 set thread context of 824 2588 Payment Copy.exe 85 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2588 Payment Copy.exe 824 RegSvcs.exe 824 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2588 Payment Copy.exe Token: SeDebugPrivilege 824 RegSvcs.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2588 wrote to memory of 824 2588 Payment Copy.exe 85 PID 2588 wrote to memory of 824 2588 Payment Copy.exe 85 PID 2588 wrote to memory of 824 2588 Payment Copy.exe 85 PID 2588 wrote to memory of 824 2588 Payment Copy.exe 85 PID 2588 wrote to memory of 824 2588 Payment Copy.exe 85 PID 2588 wrote to memory of 824 2588 Payment Copy.exe 85 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Copy.exe"C:\Users\Admin\AppData\Local\Temp\Payment Copy.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:824
-