Analysis
-
max time kernel
113s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
08-07-2024 13:49
Static task
static1
Behavioral task
behavioral1
Sample
e0e245814e8ff752873c8275c9dc81f5.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
e0e245814e8ff752873c8275c9dc81f5.exe
Resource
win10v2004-20240704-en
General
-
Target
e0e245814e8ff752873c8275c9dc81f5.exe
-
Size
271KB
-
MD5
e0e245814e8ff752873c8275c9dc81f5
-
SHA1
ad686d471ad1376ea729acc46a9cde5d47b3b359
-
SHA256
554590e0411638e001be8dcc94e36ec8b6033b654cfc50985940679da34684b3
-
SHA512
fb00d23e54b5916dcfd12310e1b90ba7e22d630855be4da66284d5dc44e767711dbdb5d354b522c6ffeec307ebad5915f131bd9a62ff43433efe45d3717c1c01
-
SSDEEP
3072:nlNRFEkoqEA4mmDnu6HISYeS/9IqpR4FdUmPWuGDXIpAKWV3JAzfOUQmd4NDVoeg:nIvA4ZTo2S/93+RosoV9cVJkqD
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
ypcog.shop - Port:
587 - Username:
[email protected] - Password:
NpsTFMpGBcoy - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5012-4879-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
e0e245814e8ff752873c8275c9dc81f5.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 e0e245814e8ff752873c8275c9dc81f5.exe Key opened \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 e0e245814e8ff752873c8275c9dc81f5.exe Key opened \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 e0e245814e8ff752873c8275c9dc81f5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
e0e245814e8ff752873c8275c9dc81f5.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hoyoyt = "C:\\Users\\Admin\\AppData\\Roaming\\Hoyoyt.exe" e0e245814e8ff752873c8275c9dc81f5.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 32 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
e0e245814e8ff752873c8275c9dc81f5.exedescription pid process target process PID 5024 set thread context of 5012 5024 e0e245814e8ff752873c8275c9dc81f5.exe e0e245814e8ff752873c8275c9dc81f5.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
e0e245814e8ff752873c8275c9dc81f5.exepid process 5012 e0e245814e8ff752873c8275c9dc81f5.exe 5012 e0e245814e8ff752873c8275c9dc81f5.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
e0e245814e8ff752873c8275c9dc81f5.exee0e245814e8ff752873c8275c9dc81f5.exedescription pid process Token: SeDebugPrivilege 5024 e0e245814e8ff752873c8275c9dc81f5.exe Token: SeDebugPrivilege 5024 e0e245814e8ff752873c8275c9dc81f5.exe Token: SeDebugPrivilege 5012 e0e245814e8ff752873c8275c9dc81f5.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
e0e245814e8ff752873c8275c9dc81f5.exedescription pid process target process PID 5024 wrote to memory of 5012 5024 e0e245814e8ff752873c8275c9dc81f5.exe e0e245814e8ff752873c8275c9dc81f5.exe PID 5024 wrote to memory of 5012 5024 e0e245814e8ff752873c8275c9dc81f5.exe e0e245814e8ff752873c8275c9dc81f5.exe PID 5024 wrote to memory of 5012 5024 e0e245814e8ff752873c8275c9dc81f5.exe e0e245814e8ff752873c8275c9dc81f5.exe PID 5024 wrote to memory of 5012 5024 e0e245814e8ff752873c8275c9dc81f5.exe e0e245814e8ff752873c8275c9dc81f5.exe PID 5024 wrote to memory of 5012 5024 e0e245814e8ff752873c8275c9dc81f5.exe e0e245814e8ff752873c8275c9dc81f5.exe PID 5024 wrote to memory of 5012 5024 e0e245814e8ff752873c8275c9dc81f5.exe e0e245814e8ff752873c8275c9dc81f5.exe PID 5024 wrote to memory of 5012 5024 e0e245814e8ff752873c8275c9dc81f5.exe e0e245814e8ff752873c8275c9dc81f5.exe PID 5024 wrote to memory of 5012 5024 e0e245814e8ff752873c8275c9dc81f5.exe e0e245814e8ff752873c8275c9dc81f5.exe -
outlook_office_path 1 IoCs
Processes:
e0e245814e8ff752873c8275c9dc81f5.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 e0e245814e8ff752873c8275c9dc81f5.exe -
outlook_win_path 1 IoCs
Processes:
e0e245814e8ff752873c8275c9dc81f5.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 e0e245814e8ff752873c8275c9dc81f5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0e245814e8ff752873c8275c9dc81f5.exe"C:\Users\Admin\AppData\Local\Temp\e0e245814e8ff752873c8275c9dc81f5.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Users\Admin\AppData\Local\Temp\e0e245814e8ff752873c8275c9dc81f5.exe"C:\Users\Admin\AppData\Local\Temp\e0e245814e8ff752873c8275c9dc81f5.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:5012
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e0e245814e8ff752873c8275c9dc81f5.exe.log
Filesize1KB
MD5a28da06a4218311dfd5954e9e79f5ae7
SHA1e8862b8ec028dad73e480003ebd845d045590264
SHA25641bf6fbb7597de5499b6006e21fa19d918a034bac2c3b9dcbc1e83f2ee5ba6cb
SHA51211f5823c46d536845ecf7ee4294c783153267ad663136c2aa38bf96d653255bc1b62bbcf790fd3376a8c4e1dda629da3c6507395b24af22b5a4f67b1e253f723