Malware Analysis Report

2024-10-18 23:17

Sample ID 240709-ltcejazfkf
Target Selvretfrdig.exe
SHA256 f8aa18d4254a618c058dda0a2be332707f305795953a26402e7b5f791b778bf0
Tags
snakekeylogger collection execution keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f8aa18d4254a618c058dda0a2be332707f305795953a26402e7b5f791b778bf0

Threat Level: Known bad

The file Selvretfrdig.exe was found to be: Known bad.

Malicious Activity Summary

snakekeylogger collection execution keylogger stealer

Snake Keylogger payload

Snake Keylogger

Command and Scripting Interpreter: PowerShell

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Program crash

Enumerates physical storage devices

NSIS installer

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-09 09:49

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-09 09:49

Reported

2024-07-09 09:52

Platform

win7-20240704-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Selvretfrdig.exe"

Signatures

Snake Keylogger

stealer keylogger snakekeylogger

Snake Keylogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Program Files (x86)\windows mail\wab.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Program Files (x86)\windows mail\wab.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Program Files (x86)\windows mail\wab.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2820 set thread context of 2592 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows mail\wab.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Program Files (x86)\windows mail\wab.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Program Files (x86)\windows mail\wab.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Selvretfrdig.exe

"C:\Users\Admin\AppData\Local\Temp\Selvretfrdig.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -windowstyle hidden "$Forsvrgelsen=Get-Content 'C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Sperlingkasserne.Gla';$Decubitus=$Forsvrgelsen.SubString(65564,3);.$Decubitus($Forsvrgelsen)"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 172.217.16.238:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 216.58.201.99:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 216.58.201.97:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 checkip.dyndns.org udp
JP 132.226.8.169:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp

Files

memory/2820-11-0x00000000737B1000-0x00000000737B2000-memory.dmp

memory/2820-12-0x00000000737B0000-0x0000000073D5B000-memory.dmp

memory/2820-14-0x00000000737B0000-0x0000000073D5B000-memory.dmp

memory/2820-13-0x00000000737B0000-0x0000000073D5B000-memory.dmp

memory/2820-15-0x00000000737B0000-0x0000000073D5B000-memory.dmp

C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Sperlingkasserne.Gla

MD5 c9035c38abb2f8b3e1255a2320926c2b
SHA1 29ee2663a1f9e8c907791957558b79dff166413c
SHA256 92eca1cfe870c436907085d7d2d85ea69c5596d456a98224937d631cfaf4adc6
SHA512 9b1f7655ec40cd92a873547bf7b8b03de824ee53bf2cbd516ec245e3cbc385e6659ce61ce5c94c1460877d697a42fbf1ee65db3abed1474c7aeec233208e89f7

memory/2820-18-0x00000000737B0000-0x0000000073D5B000-memory.dmp

memory/2820-19-0x00000000737B0000-0x0000000073D5B000-memory.dmp

C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Presenile.Tel

MD5 67bfad28d1127c53a9aac5c51b3b77b8
SHA1 896af109b830f91baa527847b2cf968cba28b771
SHA256 38c27304ea5dcdcdbf5214a38989559b4f2feb79b73d680ec96cf2e9e220225d
SHA512 8eb928e4731dda023c4b253539cd5e6246bcdc2bdbbe74e2f745f129c829a64b04c7d746630eb66a504b417332ea42b6d9bfd987f4704cb51660750fbe467b8b

memory/2820-21-0x00000000737B0000-0x0000000073D5B000-memory.dmp

memory/2820-22-0x00000000064A0000-0x000000000737B000-memory.dmp

memory/2592-24-0x0000000000730000-0x0000000001792000-memory.dmp

memory/2592-44-0x0000000000730000-0x0000000001792000-memory.dmp

memory/2592-45-0x0000000000730000-0x0000000000756000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-09 09:49

Reported

2024-07-09 09:51

Platform

win10v2004-20240704-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Selvretfrdig.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Selvretfrdig.exe

"C:\Users\Admin\AppData\Local\Temp\Selvretfrdig.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -windowstyle hidden "$Forsvrgelsen=Get-Content 'C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Sperlingkasserne.Gla';$Decubitus=$Forsvrgelsen.SubString(65564,3);.$Decubitus($Forsvrgelsen)"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3260 -ip 3260

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 2792

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 130.109.69.13.in-addr.arpa udp

Files

memory/3260-9-0x000000007372E000-0x000000007372F000-memory.dmp

memory/3260-10-0x0000000003230000-0x0000000003266000-memory.dmp

memory/3260-12-0x0000000073720000-0x0000000073ED0000-memory.dmp

memory/3260-11-0x0000000005A60000-0x0000000006088000-memory.dmp

memory/3260-13-0x0000000005840000-0x0000000005862000-memory.dmp

memory/3260-14-0x00000000058E0000-0x0000000005946000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_td5xlhxv.kv4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3260-15-0x0000000006190000-0x00000000061F6000-memory.dmp

memory/3260-21-0x0000000073720000-0x0000000073ED0000-memory.dmp

memory/3260-26-0x0000000006200000-0x0000000006554000-memory.dmp

memory/3260-27-0x00000000067E0000-0x00000000067FE000-memory.dmp

memory/3260-28-0x0000000006830000-0x000000000687C000-memory.dmp

memory/3260-29-0x0000000006D60000-0x0000000006DF6000-memory.dmp

memory/3260-30-0x0000000006D10000-0x0000000006D2A000-memory.dmp

memory/3260-31-0x00000000077D0000-0x00000000077F2000-memory.dmp

memory/3260-32-0x0000000007DB0000-0x0000000008354000-memory.dmp

C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Sperlingkasserne.Gla

MD5 c9035c38abb2f8b3e1255a2320926c2b
SHA1 29ee2663a1f9e8c907791957558b79dff166413c
SHA256 92eca1cfe870c436907085d7d2d85ea69c5596d456a98224937d631cfaf4adc6
SHA512 9b1f7655ec40cd92a873547bf7b8b03de824ee53bf2cbd516ec245e3cbc385e6659ce61ce5c94c1460877d697a42fbf1ee65db3abed1474c7aeec233208e89f7

memory/3260-34-0x00000000089E0000-0x000000000905A000-memory.dmp

memory/3260-36-0x0000000073720000-0x0000000073ED0000-memory.dmp