Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

PO_2024809...CS.exe

windows7-x64

10

PO_2024809...CS.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/09/2024, 18:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO_20248099-1 12,300PCS.exe

  • Size

    523KB

  • MD5

    5db9f3f1609f4cd4df6f627977d09fd7

  • SHA1

    90bf0d85af20f8b712ea7e1fd9724e1ecb16589b

  • SHA256

    ea08961190b8399e21cfb503fcbb3caee0a5ab92294311bda03b7e511ece876b

  • SHA512

    03d708bf0d82863b667a3f91e284262ba58286580ad7214e0ec1008aba1760b21f3f518ffc7dc049887b2d099ecc0e92fc4a639f8811317fc535eae4c43659ef

  • SSDEEP

    12288:FlEEFet43oFyro4IZ/kHT7R6GJ9i/LH+F+KawP:Fnot43oFyoJZ/kHT7R6gz+Ka

Score
10/10
snakekeyloggercollectioncredential_accessdiscoveryexecutionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7196633070:AAEaQuZOF5M-L_385uI9rwN0ik3yySrTapE/sendMessage?chat_id=1343335992

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 1 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO_20248099-1 12,300PCS.exe
    "C:\Users\Admin\AppData\Local\Temp\PO_20248099-1 12,300PCS.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3140
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO_20248099-1 12,300PCS.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4984
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UIYZnHxR.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2552
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UIYZnHxR" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE32C.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:1920
    • C:\Users\Admin\AppData\Local\Temp\PO_20248099-1 12,300PCS.exe
      "C:\Users\Admin\AppData\Local\Temp\PO_20248099-1 12,300PCS.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:2852

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    968cb9309758126772781b83adb8a28f

    SHA1

    8da30e71accf186b2ba11da1797cf67f8f78b47c

    SHA256

    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

    SHA512

    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    d71efd39fa120c685c0b6a897a31ae82

    SHA1

    eb65b39574b19ccb7d26a18dd46beb04883d51cc

    SHA256

    b51d561b2e94c0a373d7243544691f5f1ef5b21910b3ad6521684a04adff6f62

    SHA512

    854d05edefc20c647d6660d134d3229f1223cbc26ae2a6c5367f964eb3d2886a40c731262e1defa4d20e77df107f78d0138ac35f8a0df33fc87ccf76678667b3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wh4uqocw.gmw.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpE32C.tmp
    Filesize

    1KB

    MD5

    7392c30aaa74d8fc60a2b82c8cf41d77

    SHA1

    5c23e1e5ab60685f3be1fc39346a964afd392d45

    SHA256

    5299cf44e96f820505d56e1128f817b0df906d8882565f35d96f6588620aadf2

    SHA512

    a32ea6b3a6d3abb1374ec67ffc0b8037d9bf2d4d9cf79280eb7c590e1083b235f5f64a25abef5ed1eaddebf51513c2e96b911ebf5981d35fd8b6bacbde685581

    Download Submit

  • memory/2552-75-0x0000000007710000-0x0000000007D8A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2552-27-0x0000000075030000-0x00000000757E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2552-73-0x0000000006D30000-0x0000000006D4E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2552-52-0x0000000006D50000-0x0000000006D82000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2552-76-0x00000000070D0000-0x00000000070EA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2552-83-0x00000000073F0000-0x00000000073F8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2552-53-0x00000000716B0000-0x00000000716FC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2552-77-0x0000000007140000-0x000000000714A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2552-82-0x0000000007410000-0x000000000742A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2552-22-0x0000000075030000-0x00000000757E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2552-21-0x0000000075030000-0x00000000757E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2552-89-0x0000000075030000-0x00000000757E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2852-92-0x0000000006E40000-0x0000000007002000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2852-43-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2852-91-0x00000000016E0000-0x0000000001730000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3140-3-0x00000000052E0000-0x0000000005372000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3140-49-0x0000000075030000-0x00000000757E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3140-4-0x00000000052A0000-0x00000000052AA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3140-11-0x000000000A320000-0x000000000A3BC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3140-10-0x0000000006780000-0x00000000067E8000-memory.dmp

    Filesize

    416KB

    Download

  • memory/3140-2-0x00000000057B0000-0x0000000005D54000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3140-0-0x000000007503E000-0x000000007503F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3140-5-0x0000000075030000-0x00000000757E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3140-1-0x0000000000800000-0x0000000000888000-memory.dmp

    Filesize

    544KB

    Download

  • memory/3140-9-0x0000000075030000-0x00000000757E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3140-8-0x000000007503E000-0x000000007503F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3140-7-0x0000000005620000-0x0000000005630000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3140-6-0x0000000006460000-0x00000000064DE000-memory.dmp

    Filesize

    504KB

    Download

  • memory/4984-23-0x0000000005300000-0x0000000005322000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4984-54-0x00000000716B0000-0x00000000716FC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4984-74-0x0000000006BB0000-0x0000000006C53000-memory.dmp

    Filesize

    652KB

    Download

  • memory/4984-51-0x00000000060F0000-0x000000000613C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4984-42-0x0000000005580000-0x00000000058D4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4984-25-0x0000000005510000-0x0000000005576000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4984-78-0x0000000007130000-0x00000000071C6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4984-79-0x00000000070B0000-0x00000000070C1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4984-80-0x00000000070E0000-0x00000000070EE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4984-81-0x00000000070F0000-0x0000000007104000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4984-50-0x0000000005B90000-0x0000000005BAE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4984-24-0x00000000054A0000-0x0000000005506000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4984-90-0x0000000075030000-0x00000000757E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4984-20-0x0000000075030000-0x00000000757E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4984-18-0x0000000004CD0000-0x00000000052F8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4984-19-0x0000000075030000-0x00000000757E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4984-17-0x0000000075030000-0x00000000757E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4984-16-0x00000000045B0000-0x00000000045E6000-memory.dmp

    Filesize

    216KB

    Download