Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
106s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16/09/2024, 21:13
Static task
static1
Behavioral task
behavioral1
Sample
bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994aN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994aN.exe
Resource
win10v2004-20240802-en
General
-
Target
bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994aN.exe
-
Size
1.1MB
-
MD5
d19e57cc9fadabb7d0b4d5f29afaab80
-
SHA1
f0678c2796dbf40a30fcc4e9d2455641bd83866d
-
SHA256
bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994a
-
SHA512
3f91e041a19d0316296244e58f04108cca4357e3b28785425fa24b3b9d5ce3b2ab26c2445c20b9719d9acd7920481c2a19597897fd6a69894f5cac58526b8c7a
-
SSDEEP
24576:sqDEvCTbMWu7rQYlBQcBiT6rprG8a+gLAAB8CeF:sTvC/MTQYxsWR7a+gLAAte
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot7505197168:AAH44rUOfgM2A0VfpI637HSQjCH00DQZX48/sendMessage?chat_id=875935923
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 33 IoCs
resource yara_rule behavioral2/memory/860-33-0x00000000057A0000-0x00000000057DA000-memory.dmp family_snakekeylogger behavioral2/memory/860-37-0x0000000005860000-0x0000000005898000-memory.dmp family_snakekeylogger behavioral2/memory/860-41-0x0000000005860000-0x0000000005893000-memory.dmp family_snakekeylogger behavioral2/memory/860-97-0x0000000005860000-0x0000000005893000-memory.dmp family_snakekeylogger behavioral2/memory/860-93-0x0000000005860000-0x0000000005893000-memory.dmp family_snakekeylogger behavioral2/memory/860-91-0x0000000005860000-0x0000000005893000-memory.dmp family_snakekeylogger behavioral2/memory/860-89-0x0000000005860000-0x0000000005893000-memory.dmp family_snakekeylogger behavioral2/memory/860-87-0x0000000005860000-0x0000000005893000-memory.dmp family_snakekeylogger behavioral2/memory/860-85-0x0000000005860000-0x0000000005893000-memory.dmp family_snakekeylogger behavioral2/memory/860-81-0x0000000005860000-0x0000000005893000-memory.dmp family_snakekeylogger behavioral2/memory/860-79-0x0000000005860000-0x0000000005893000-memory.dmp family_snakekeylogger behavioral2/memory/860-77-0x0000000005860000-0x0000000005893000-memory.dmp family_snakekeylogger behavioral2/memory/860-75-0x0000000005860000-0x0000000005893000-memory.dmp family_snakekeylogger behavioral2/memory/860-73-0x0000000005860000-0x0000000005893000-memory.dmp family_snakekeylogger behavioral2/memory/860-71-0x0000000005860000-0x0000000005893000-memory.dmp family_snakekeylogger behavioral2/memory/860-69-0x0000000005860000-0x0000000005893000-memory.dmp family_snakekeylogger behavioral2/memory/860-67-0x0000000005860000-0x0000000005893000-memory.dmp family_snakekeylogger behavioral2/memory/860-65-0x0000000005860000-0x0000000005893000-memory.dmp family_snakekeylogger behavioral2/memory/860-63-0x0000000005860000-0x0000000005893000-memory.dmp family_snakekeylogger behavioral2/memory/860-59-0x0000000005860000-0x0000000005893000-memory.dmp family_snakekeylogger behavioral2/memory/860-57-0x0000000005860000-0x0000000005893000-memory.dmp family_snakekeylogger behavioral2/memory/860-55-0x0000000005860000-0x0000000005893000-memory.dmp family_snakekeylogger behavioral2/memory/860-53-0x0000000005860000-0x0000000005893000-memory.dmp family_snakekeylogger behavioral2/memory/860-51-0x0000000005860000-0x0000000005893000-memory.dmp family_snakekeylogger behavioral2/memory/860-49-0x0000000005860000-0x0000000005893000-memory.dmp family_snakekeylogger behavioral2/memory/860-47-0x0000000005860000-0x0000000005893000-memory.dmp family_snakekeylogger behavioral2/memory/860-45-0x0000000005860000-0x0000000005893000-memory.dmp family_snakekeylogger behavioral2/memory/860-43-0x0000000005860000-0x0000000005893000-memory.dmp family_snakekeylogger behavioral2/memory/860-39-0x0000000005860000-0x0000000005893000-memory.dmp family_snakekeylogger behavioral2/memory/860-38-0x0000000005860000-0x0000000005893000-memory.dmp family_snakekeylogger behavioral2/memory/860-95-0x0000000005860000-0x0000000005893000-memory.dmp family_snakekeylogger behavioral2/memory/860-84-0x0000000005860000-0x0000000005893000-memory.dmp family_snakekeylogger behavioral2/memory/860-61-0x0000000005860000-0x0000000005893000-memory.dmp family_snakekeylogger -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs name.exe -
Executes dropped EXE 1 IoCs
pid Process 2392 name.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 checkip.dyndns.org -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000500000001db2f-13.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2392 set thread context of 860 2392 name.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 860 RegSvcs.exe 860 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2392 name.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 860 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1612 bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994aN.exe 1612 bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994aN.exe 2392 name.exe 2392 name.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1612 bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994aN.exe 1612 bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994aN.exe 2392 name.exe 2392 name.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1612 wrote to memory of 2392 1612 bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994aN.exe 85 PID 1612 wrote to memory of 2392 1612 bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994aN.exe 85 PID 1612 wrote to memory of 2392 1612 bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994aN.exe 85 PID 2392 wrote to memory of 860 2392 name.exe 86 PID 2392 wrote to memory of 860 2392 name.exe 86 PID 2392 wrote to memory of 860 2392 name.exe 86 PID 2392 wrote to memory of 860 2392 name.exe 86 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994aN.exe"C:\Users\Admin\AppData\Local\Temp\bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994aN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\Temp\bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994aN.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994aN.exe"3⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:860
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
140KB
MD591da3c3d3cd9fd67bbbd17db9c57467c
SHA10ffe669c2c984050f576c076cc27091583eb6686
SHA256d5d27e7780a26378292416db6dbcc4a4da9b1045cb439390f8d16ac16fd64882
SHA512dc833d12d727132f11a6bff5036fa07eb1a61f72a7441c3d050889022fdeaef9d7ec5b270bcf28aa5a1fcbf3625f0c5689e0ad5aca211227fdb7241235d127ed
-
Filesize
225KB
MD516744b21d6e5f442a008b478e11b7b1e
SHA18a4ce9c967effbfda3c505d43d0d2ebe68de9fe2
SHA256dfd48f30102a5244181c0bd462771ffcb4ad652a342aa019a5d021b71fda1f1a
SHA5123bcee61f1237419b8964f98965672595b10d57eb8d0dcc3b7941adba3f629d9e1818452380260bd1d5ff33ec34550efdafe3798880e95ff3c66be495e6973d1a
-
Filesize
1.1MB
MD5d19e57cc9fadabb7d0b4d5f29afaab80
SHA1f0678c2796dbf40a30fcc4e9d2455641bd83866d
SHA256bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994a
SHA5123f91e041a19d0316296244e58f04108cca4357e3b28785425fa24b3b9d5ce3b2ab26c2445c20b9719d9acd7920481c2a19597897fd6a69894f5cac58526b8c7a