161b33a3ef477f26cdc150c5ebdec32608975cd3d359c8fa1dd7576a2692cfc3

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-10-2024 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DarkSnakeFlex.exe
Size

395KB
MD5

a6e769e192f3a302342c1eef22a16088
SHA1

92840048c6ee3811ed84e7c743f6788311182c2c
SHA256

5ac2dc6b18782e745af8a2985921dbc64b41f7b4f8a6cf4274704b18345d3dac
SHA512

88db5067ee80dc761f70cad5fce5b87d10cf737715d245ecc23350edcd4007b58f74b0672f473a8c1cf6bb2148fdd0987a6ccca09b4cb58d9f82822c877e7970
SSDEEP

1536:6vdWSVRVDlOzjRzrksAO0iN9uEH2Kj+gRJN3dOuzXz76XgnIa1QCSz7S7Nv:6MSncRzAO0i7uUv+yJtUOnI9UNv

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	DarkSnakeFlex.exe

Executes dropped EXE 2 IoCs

pid	Process
2276	SERVER.EXE
3896	SNAKEGAME.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64	SERVER.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DarkSnakeFlex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 2276	1716	DarkSnakeFlex.exe	85
PID 1716 wrote to memory of 2276	1716	DarkSnakeFlex.exe	85
PID 1716 wrote to memory of 2276	1716	DarkSnakeFlex.exe	85
PID 1716 wrote to memory of 3896	1716	DarkSnakeFlex.exe	86
PID 1716 wrote to memory of 3896	1716	DarkSnakeFlex.exe	86

C:\Users\Admin\AppData\Local\Temp\DarkSnakeFlex.exe
"C:\Users\Admin\AppData\Local\Temp\DarkSnakeFlex.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
  "C:\Users\Admin\AppData\Local\Temp\SERVER.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2276
- C:\Users\Admin\AppData\Local\Temp\SNAKEGAME.EXE
  "C:\Users\Admin\AppData\Local\Temp\SNAKEGAME.EXE"
  2⤵
  - Executes dropped EXE
  PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SERVER.EXE

Filesize
37KB

MD5
e6df7638861cc7aeb1150f7b9abf1703

SHA1
adbc72359d1e26d78c16c92a6eb23f357715568c

SHA256
a42cdbdbde54ff254f046cdd14e1ba86e040b7ad2ae7cdb44415d5fbf420015a

SHA512
c3173dcb43eb7bbaa2580604d08a580722e517be99533beccfc80544f828546a126db305b9d01773efae96a2ba3ad3712b310fc14f7c06427277ac02a65f5cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SNAKEGAME.EXE

Filesize
24KB

MD5
dc45bc2e4f394805ade55a42097b853b

SHA1
602fcf6b5595e30ad930901f670e60d6cc571f75

SHA256
c42150de053665206ee68e621d3531cacd0b9a8d743b924c2a3e29ea24f41ec7

SHA512
d3d05aee1179bed84b660c4090f570a2c9b097f03accd46ddbcdde5df46337361e23a7793cbbe1b22c91ce745dca315bf0484266a2ec171e1a22f900787d280d

Download Submit
memory/2276-28-0x0000000075292000-0x0000000075293000-memory.dmp

Filesize
4KB

Download
memory/2276-19-0x0000000075292000-0x0000000075293000-memory.dmp

Filesize
4KB

Download
memory/2276-29-0x0000000001150000-0x0000000001160000-memory.dmp

Filesize
64KB

Download
memory/2276-21-0x0000000001150000-0x0000000001160000-memory.dmp

Filesize
64KB

Download
memory/2276-23-0x0000000075292000-0x0000000075294000-memory.dmp

Filesize
8KB

Download
memory/3896-22-0x0000000001700000-0x0000000001710000-memory.dmp

Filesize
64KB

Download
memory/3896-25-0x000000001C390000-0x000000001C85E000-memory.dmp

Filesize
4.8MB

Download
memory/3896-26-0x000000001BDD0000-0x000000001BE6C000-memory.dmp

Filesize
624KB

Download
memory/3896-27-0x00000000016C0000-0x00000000016C8000-memory.dmp

Filesize
32KB

Download
memory/3896-24-0x00007FFA28835000-0x00007FFA28836000-memory.dmp

Filesize
4KB

Download
memory/3896-20-0x00007FFA28835000-0x00007FFA28836000-memory.dmp

Filesize
4KB

Download