Analysis
-
max time kernel
63s -
max time network
65s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
09-10-2024 03:32
Static task
static1
Behavioral task
behavioral1
Sample
P984758.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
P984758.exe
Resource
win10v2004-20241007-en
General
-
Target
P984758.exe
-
Size
846KB
-
MD5
c5af54622602c908d5af6c3d8d7bdb09
-
SHA1
67fbbcaef7c841afc2af6cda2740b3f934cd9c15
-
SHA256
bbeac700ec88ce4b23f0bb5c996effc1586ef0e7802bc18695ecd3845a2a0022
-
SHA512
b1194332113c466ddfb55bf4f6f0dd6a04bc3ceeac9654a913d0ac38689a93fa08888b950af0a701cfb7490ca1c322fbebe77f281be27c2a2a05e78dfa3d8961
-
SSDEEP
24576:5vVPp9AR95STVO0NF64RWPOyvzQ6bnVOGeuo8:5vVPpKRSs0KBOybx
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
smtp.fyontej.com - Port:
25 - Username:
[email protected] - Password:
g#DXj@Ws8 - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
resource yara_rule behavioral1/memory/2836-19-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2836-23-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2836-27-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2836-25-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2836-17-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 freegeoip.app 4 checkip.dyndns.org 8 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1080 set thread context of 2836 1080 P984758.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1796 2836 WerFault.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language P984758.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language P984758.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2004 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2836 P984758.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2836 P984758.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1080 wrote to memory of 2004 1080 P984758.exe 30 PID 1080 wrote to memory of 2004 1080 P984758.exe 30 PID 1080 wrote to memory of 2004 1080 P984758.exe 30 PID 1080 wrote to memory of 2004 1080 P984758.exe 30 PID 1080 wrote to memory of 2836 1080 P984758.exe 32 PID 1080 wrote to memory of 2836 1080 P984758.exe 32 PID 1080 wrote to memory of 2836 1080 P984758.exe 32 PID 1080 wrote to memory of 2836 1080 P984758.exe 32 PID 1080 wrote to memory of 2836 1080 P984758.exe 32 PID 1080 wrote to memory of 2836 1080 P984758.exe 32 PID 1080 wrote to memory of 2836 1080 P984758.exe 32 PID 1080 wrote to memory of 2836 1080 P984758.exe 32 PID 1080 wrote to memory of 2836 1080 P984758.exe 32 PID 2836 wrote to memory of 1796 2836 P984758.exe 33 PID 2836 wrote to memory of 1796 2836 P984758.exe 33 PID 2836 wrote to memory of 1796 2836 P984758.exe 33 PID 2836 wrote to memory of 1796 2836 P984758.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\P984758.exe"C:\Users\Admin\AppData\Local\Temp\P984758.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KOjqORarEZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp864F.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2004
-
-
C:\Users\Admin\AppData\Local\Temp\P984758.exe"C:\Users\Admin\AppData\Local\Temp\P984758.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 15763⤵
- Program crash
PID:1796
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c910689f3371420dcf5927af2a76fefe
SHA1b8bbc40552f7b034246ebf4d6fc7a0bab6aa6089
SHA2561a4476b272df32b9f5063abc177263b8c4b6b5e7166c986f136b08d713985561
SHA5123c387af3223dec1dcdcd755c87dc3c8e0fa29a9be917dbf458288b884d8d19644c1829c6032f5b2b65a5de5c1c18acfdca3c11f1a738d798de88c61e8f374e25