Overview

overview

10

Static

static

1

5.vbe

windows7-x64

8

5.vbe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2024 13:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5.vbe

  • Size

    10KB

  • MD5

    9c14957ca39752cb13dc22d7dd0e53c5

  • SHA1

    7db0b08452db448b7a022fad47e0aaad42452086

  • SHA256

    462a96c1ba1050085eeb4e15753a8d9b29fc88b2289c996fb937c4390be3a393

  • SHA512

    36c66dfc4b48bbed8c04bfda1bb8414fae6af3199b77ce58e80334e9c12fdb7ab8d3134bd4e8c473d0367555860e989f9e77d4973f6e4636f28d5b350f18113e

  • SSDEEP

    192:xVNM3lLrcABBqcDsPdSuXZlzrZ7gmUWoZl5C8YleLMl/1uw5YOAxJSHtK:DNElLAAKjBLf1UWobMrlwMl/mAHU

Score
10/10
snakekeyloggercollectioncredential_accessdiscoverykeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 1 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5.vbe"
    1⤵
    • Blocklisted process makes network request
    PID:4400
  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\zanFaVXLBdzhSkd.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1988
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3632
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • Accesses Microsoft Outlook profiles
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:4864
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3632" "2728" "2668" "2732" "0" "0" "2736" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:3604
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3460
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3460" "2696" "2620" "2700" "0" "0" "2704" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:2328
  • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
    1⤵
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Windows\SysWOW64\unregmp2.exe
      "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3184
      • C:\Windows\system32\unregmp2.exe
        "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
        3⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        PID:668
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
    1⤵
    • Drops file in Windows directory
    PID:3944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    3f01549ee3e4c18244797530b588dad9

    SHA1

    3e87863fc06995fe4b741357c68931221d6cc0b9

    SHA256

    36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

    SHA512

    73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
    Filesize

    384KB

    MD5

    c7ca2711d80cd052da0d98ce7e6dec6b

    SHA1

    b051f0425224cf70e3a10636c21bf113bd1cd301

    SHA256

    a0c1147d7f6adb99735dc3fa370ef6fb8e6ddd3687eb7afd677af5c71df6957f

    SHA512

    487b985fe8a4fb9a0cb59ffb0b485133e0b089115e36b9bc3f0cbb64babd899daf1b282a9554b45874a59a4c7d9c07db370650c28a5731bde50f52e66a0fc0af

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
    Filesize

    1024KB

    MD5

    b14ba3e50f7375b47b142bae888b11cf

    SHA1

    e08f9a54ede6651f99323c7efef9fcd71c6bc441

    SHA256

    0bc352fc53ddba33791c28c98236cdbd7f45478775f662a7cf45e858549c1831

    SHA512

    b2a95e5e23ca223ba865bb4ea1491dda6fe8304d8b0412c4fd03b277185a1f523c9f14dd5cd1592b54539723ab1bec789a6f5fba01a2d5b4bb0c844a140b3668

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD
    Filesize

    498B

    MD5

    90be2701c8112bebc6bd58a7de19846e

    SHA1

    a95be407036982392e2e684fb9ff6602ecad6f1e

    SHA256

    644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

    SHA512

    d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
    Filesize

    9KB

    MD5

    5433eab10c6b5c6d55b7cbd302426a39

    SHA1

    c5b1604b3350dab290d081eecd5389a895c58de5

    SHA256

    23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

    SHA512

    207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
    Filesize

    9KB

    MD5

    7050d5ae8acfbe560fa11073fef8185d

    SHA1

    5bc38e77ff06785fe0aec5a345c4ccd15752560e

    SHA256

    cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

    SHA512

    a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    Filesize

    53KB

    MD5

    a26df49623eff12a70a93f649776dab7

    SHA1

    efb53bd0df3ac34bd119adf8788127ad57e53803

    SHA256

    4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

    SHA512

    e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
    Filesize

    3KB

    MD5

    6e809f4c18466a0a63db912fb7a2441c

    SHA1

    d88653e1426406c3175c3fee38d55cd94a1ec5b1

    SHA256

    2a684a0f36716559ec3fef1d5cdcd0fa7d48cd59e40457b7adc4d7b1f9a0c9fa

    SHA512

    b47bb55f42d8930277dcab4d3850aba5b1f40b794f07cf1a0858b7280dc8bab243f445c50d2a45fa183c8f664c4864f476d4565c85380fc10cf45fe53d16100c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_as2a5fhd.ls0.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
    Filesize

    1KB

    MD5

    6efb96bd070439120322fb610155ede8

    SHA1

    28fbe1d21c5b003f6f3ee69a326d3796899f4b27

    SHA256

    b44fc58235d20538ec7ec97ef1da504c53cf5a5316aa9e62221ae9d574499d70

    SHA512

    b34d217131415272762b4acdbde31f0baabf1466a0ca2c87b7486140337ad55e4823f1928914471ad65747ef0a96c30c02ccc59c4120716f295c1b94a5ab684b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    6KB

    MD5

    3b85db9c35b1131ae64d0d97822ae328

    SHA1

    8c85c740e634cd52a97a73281241575469cf58e0

    SHA256

    c1a28cebec511f16f17697d6232a59ab895d4b2d0b7c6eb9ff3069376734f03b

    SHA512

    e53f8e6754ceff459c12a1af1da14f343b3635cead581ae248b0ce30d0d16721b6ec58a2df25aea1785675a373e84e761dd2955a1581643b0a58ed0a32674e16

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    6KB

    MD5

    80bed728885aa8915a717d4f6130bf10

    SHA1

    3496e076eccdf37f4159e6c765370e3012ced413

    SHA256

    672152e9b2ccf663aed662a2fa0c9d058219f10ed29665fddb0c06ca21280056

    SHA512

    f7a97b650108d0d18793338ca2bdfb6f6e646b7e9592b86227cd13f6b43b26d578c76119e0c0395f35149f40d85b5b94c53923f9b4a42f2666d7cf0e7978d037

    Download Submit

  • C:\Users\Admin\AppData\Roaming\zanFaVXLBdzhSkd.vbs
    Filesize

    2KB

    MD5

    072196eaac1237e49891f84745b065fd

    SHA1

    97693ca12473e9db3ddafa988d91bc6b8da3842e

    SHA256

    6384e6f6e981dd89f039bfd8f007647a5bee11dc36973cb4482224f7f6948987

    SHA512

    0bc20439ab3cf5d5ceabec4d6682a394120ce19b31fa302218527f846aa2842be928c77c090d7c196c1df39aa0db710f61482aaff8384e193cb61cd60c8776c5

    Download Submit

  • memory/3632-15-0x000001B860F80000-0x000001B860FF6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3632-72-0x000001B85EA80000-0x000001B85EA8A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3632-73-0x000001B85EA90000-0x000001B85EA9A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3632-4-0x000001B85E930000-0x000001B85E952000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3632-14-0x000001B860EB0000-0x000001B860EF4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4864-87-0x00000000051B0000-0x000000000524C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4864-84-0x0000000005820000-0x0000000005DC4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4864-74-0x00000000009B0000-0x00000000009D6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4864-95-0x00000000063E0000-0x0000000006430000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4864-96-0x0000000006600000-0x00000000067C2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4864-97-0x00000000064D0000-0x0000000006562000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4864-98-0x0000000006470000-0x000000000647A000-memory.dmp

    Filesize

    40KB

    Download