Analysis Overview
SHA256
410c814cf0f32f5231e6b471da182deea2d587fe14b52a5ef3aa84b1a2c181a3
Threat Level: Known bad
The file 09072024_1337_09072024_AWB 1311072433.Img.ace was found to be: Known bad.
Malicious Activity Summary
Snake Keylogger
Snake Keylogger payload
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-09 13:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-09 13:37
Reported
2024-07-09 13:39
Platform
win10v2004-20240704-en
Max time kernel
97s
Max time network
101s
Command Line
Signatures
Snake Keylogger
Snake Keylogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4272 set thread context of 2928 | N/A | C:\Users\Admin\AppData\Local\Temp\AWB 1311072433.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AWB 1311072433.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AWB 1311072433.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4272 wrote to memory of 2928 | N/A | C:\Users\Admin\AppData\Local\Temp\AWB 1311072433.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe |
| PID 4272 wrote to memory of 2928 | N/A | C:\Users\Admin\AppData\Local\Temp\AWB 1311072433.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe |
| PID 4272 wrote to memory of 2928 | N/A | C:\Users\Admin\AppData\Local\Temp\AWB 1311072433.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe |
| PID 4272 wrote to memory of 2928 | N/A | C:\Users\Admin\AppData\Local\Temp\AWB 1311072433.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe |
| PID 4272 wrote to memory of 2928 | N/A | C:\Users\Admin\AppData\Local\Temp\AWB 1311072433.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe |
| PID 4272 wrote to memory of 2928 | N/A | C:\Users\Admin\AppData\Local\Temp\AWB 1311072433.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\AWB 1311072433.exe
"C:\Users\Admin\AppData\Local\Temp\AWB 1311072433.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| JP | 132.226.8.169:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | 169.8.226.132.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
Files
memory/4272-1-0x00007FFE82F23000-0x00007FFE82F25000-memory.dmp
memory/4272-0-0x0000000000280000-0x0000000000316000-memory.dmp
memory/4272-2-0x00007FFE82F20000-0x00007FFE839E1000-memory.dmp
memory/4272-3-0x0000000000DD0000-0x0000000000DF4000-memory.dmp
memory/4272-4-0x000000001BEF0000-0x000000001BF06000-memory.dmp
memory/4272-5-0x0000000000D10000-0x0000000000D24000-memory.dmp
memory/4272-6-0x000000001D200000-0x000000001D266000-memory.dmp
memory/2928-7-0x0000000140000000-0x0000000140024000-memory.dmp
memory/4272-9-0x000000001C110000-0x000000001C2B9000-memory.dmp
memory/2928-11-0x00007FFE82F20000-0x00007FFE839E1000-memory.dmp
memory/4272-12-0x00007FFE82F20000-0x00007FFE839E1000-memory.dmp
memory/2928-13-0x00007FFE82F20000-0x00007FFE839E1000-memory.dmp
memory/2928-14-0x00007FFE82F20000-0x00007FFE839E1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-09 13:37
Reported
2024-07-09 13:40
Platform
win7-20240705-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Snake Keylogger
Snake Keylogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1660 set thread context of 2380 | N/A | C:\Users\Admin\AppData\Local\Temp\AWB 1311072433.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AWB 1311072433.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AWB 1311072433.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\AWB 1311072433.exe
"C:\Users\Admin\AppData\Local\Temp\AWB 1311072433.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| JP | 132.226.8.169:80 | checkip.dyndns.org | tcp |
Files
memory/1660-0-0x000007FEF5CC3000-0x000007FEF5CC4000-memory.dmp
memory/1660-1-0x000000013FEA0000-0x000000013FF36000-memory.dmp
memory/1660-2-0x000007FEF5CC0000-0x000007FEF66AC000-memory.dmp
memory/1660-3-0x0000000002330000-0x0000000002354000-memory.dmp
memory/1660-4-0x0000000002350000-0x0000000002366000-memory.dmp
memory/1660-5-0x0000000000950000-0x0000000000964000-memory.dmp
memory/1660-6-0x000000001B410000-0x000000001B476000-memory.dmp
memory/2380-9-0x0000000140000000-0x0000000140024000-memory.dmp
memory/2380-8-0x0000000140000000-0x0000000140024000-memory.dmp
memory/2380-7-0x0000000140000000-0x0000000140024000-memory.dmp
memory/2380-12-0x0000000140000000-0x0000000140024000-memory.dmp
memory/2380-10-0x000007FFFFFD9000-0x000007FFFFFDA000-memory.dmp
memory/1660-15-0x000007FEF5CC0000-0x000007FEF66AC000-memory.dmp
memory/2380-16-0x000007FEF5CC0000-0x000007FEF66AC000-memory.dmp
memory/2380-17-0x000007FEF5CC0000-0x000007FEF66AC000-memory.dmp
memory/2380-18-0x000007FEF5CC0000-0x000007FEF66AC000-memory.dmp
memory/2380-19-0x000007FEF5CC0000-0x000007FEF66AC000-memory.dmp