Malware Analysis Report

2024-10-18 23:16

Sample ID 240709-qwvfcawgjp
Target 09072024_1337_09072024_AWB 1311072433.Img.ace
SHA256 410c814cf0f32f5231e6b471da182deea2d587fe14b52a5ef3aa84b1a2c181a3
Tags
snakekeylogger keylogger stealer collection
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

410c814cf0f32f5231e6b471da182deea2d587fe14b52a5ef3aa84b1a2c181a3

Threat Level: Known bad

The file 09072024_1337_09072024_AWB 1311072433.Img.ace was found to be: Known bad.

Malicious Activity Summary

snakekeylogger keylogger stealer collection

Snake Keylogger

Snake Keylogger payload

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-09 13:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-09 13:37

Reported

2024-07-09 13:39

Platform

win10v2004-20240704-en

Max time kernel

97s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AWB 1311072433.exe"

Signatures

Snake Keylogger

stealer keylogger snakekeylogger

Snake Keylogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4272 set thread context of 2928 N/A C:\Users\Admin\AppData\Local\Temp\AWB 1311072433.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AWB 1311072433.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AWB 1311072433.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AWB 1311072433.exe

"C:\Users\Admin\AppData\Local\Temp\AWB 1311072433.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
JP 132.226.8.169:80 checkip.dyndns.org tcp
US 8.8.8.8:53 169.8.226.132.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp

Files

memory/4272-1-0x00007FFE82F23000-0x00007FFE82F25000-memory.dmp

memory/4272-0-0x0000000000280000-0x0000000000316000-memory.dmp

memory/4272-2-0x00007FFE82F20000-0x00007FFE839E1000-memory.dmp

memory/4272-3-0x0000000000DD0000-0x0000000000DF4000-memory.dmp

memory/4272-4-0x000000001BEF0000-0x000000001BF06000-memory.dmp

memory/4272-5-0x0000000000D10000-0x0000000000D24000-memory.dmp

memory/4272-6-0x000000001D200000-0x000000001D266000-memory.dmp

memory/2928-7-0x0000000140000000-0x0000000140024000-memory.dmp

memory/4272-9-0x000000001C110000-0x000000001C2B9000-memory.dmp

memory/2928-11-0x00007FFE82F20000-0x00007FFE839E1000-memory.dmp

memory/4272-12-0x00007FFE82F20000-0x00007FFE839E1000-memory.dmp

memory/2928-13-0x00007FFE82F20000-0x00007FFE839E1000-memory.dmp

memory/2928-14-0x00007FFE82F20000-0x00007FFE839E1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-09 13:37

Reported

2024-07-09 13:40

Platform

win7-20240705-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AWB 1311072433.exe"

Signatures

Snake Keylogger

stealer keylogger snakekeylogger

Snake Keylogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1660 set thread context of 2380 N/A C:\Users\Admin\AppData\Local\Temp\AWB 1311072433.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AWB 1311072433.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AWB 1311072433.exe

"C:\Users\Admin\AppData\Local\Temp\AWB 1311072433.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
JP 132.226.8.169:80 checkip.dyndns.org tcp

Files

memory/1660-0-0x000007FEF5CC3000-0x000007FEF5CC4000-memory.dmp

memory/1660-1-0x000000013FEA0000-0x000000013FF36000-memory.dmp

memory/1660-2-0x000007FEF5CC0000-0x000007FEF66AC000-memory.dmp

memory/1660-3-0x0000000002330000-0x0000000002354000-memory.dmp

memory/1660-4-0x0000000002350000-0x0000000002366000-memory.dmp

memory/1660-5-0x0000000000950000-0x0000000000964000-memory.dmp

memory/1660-6-0x000000001B410000-0x000000001B476000-memory.dmp

memory/2380-9-0x0000000140000000-0x0000000140024000-memory.dmp

memory/2380-8-0x0000000140000000-0x0000000140024000-memory.dmp

memory/2380-7-0x0000000140000000-0x0000000140024000-memory.dmp

memory/2380-12-0x0000000140000000-0x0000000140024000-memory.dmp

memory/2380-10-0x000007FFFFFD9000-0x000007FFFFFDA000-memory.dmp

memory/1660-15-0x000007FEF5CC0000-0x000007FEF66AC000-memory.dmp

memory/2380-16-0x000007FEF5CC0000-0x000007FEF66AC000-memory.dmp

memory/2380-17-0x000007FEF5CC0000-0x000007FEF66AC000-memory.dmp

memory/2380-18-0x000007FEF5CC0000-0x000007FEF66AC000-memory.dmp

memory/2380-19-0x000007FEF5CC0000-0x000007FEF66AC000-memory.dmp