Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2024, 13:09
Static task
static1
Behavioral task
behavioral1
Sample
Quotation-GINC-19-00204.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Quotation-GINC-19-00204.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
General
-
Target
Quotation-GINC-19-00204.exe
-
Size
878KB
-
MD5
0c285a3c76e1f5f981de6282fedf1919
-
SHA1
dc3f467ff13529349090edc5c1a9aa597bd65e41
-
SHA256
d5dbb09b7ecb1ba95cc42d1757a2e72e0c4bbd86cca5dd43dabf3a0d9425432a
-
SHA512
ac1fe6ac984c63adb12c15c27ca74f2120dfae406a2ba532c29d545ab56739b9ad8915447204e4770cc1d3e822ac0d7271e36c43d71c43e8a4b245878dd5a43d
-
SSDEEP
24576:miGFaq43NvCZXv/+2JujTrlCJREBJ/QOead:miGFu3Nvw3+XdrJ/qad
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
webmail.berkeleyindia.com - Port:
587 - Username:
[email protected] - Password:
2szbiev2pciv
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 2 IoCs
resource yara_rule behavioral2/memory/2720-297-0x00000000004A0000-0x00000000016F4000-memory.dmp family_snakekeylogger behavioral2/memory/2720-300-0x00000000004A0000-0x00000000004C6000-memory.dmp family_snakekeylogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation Quotation-GINC-19-00204.exe -
Loads dropped DLL 1 IoCs
pid Process 4768 Quotation-GINC-19-00204.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 25 drive.google.com 24 drive.google.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 37 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2720 Quotation-GINC-19-00204.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4768 Quotation-GINC-19-00204.exe 2720 Quotation-GINC-19-00204.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4768 set thread context of 2720 4768 Quotation-GINC-19-00204.exe 90 -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\resources\0409\figenkaktusses\Ea40.ini Quotation-GINC-19-00204.exe File opened for modification C:\Windows\Fonts\heraclitic.Wom Quotation-GINC-19-00204.exe File opened for modification C:\Windows\storsejlenes\blackweed.hor Quotation-GINC-19-00204.exe File opened for modification C:\Windows\Arder.lnk Quotation-GINC-19-00204.exe File created C:\Windows\Arder.lnk Quotation-GINC-19-00204.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Quotation-GINC-19-00204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Quotation-GINC-19-00204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2720 Quotation-GINC-19-00204.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4768 Quotation-GINC-19-00204.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2720 Quotation-GINC-19-00204.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4768 wrote to memory of 2720 4768 Quotation-GINC-19-00204.exe 90 PID 4768 wrote to memory of 2720 4768 Quotation-GINC-19-00204.exe 90 PID 4768 wrote to memory of 2720 4768 Quotation-GINC-19-00204.exe 90 PID 4768 wrote to memory of 2720 4768 Quotation-GINC-19-00204.exe 90 PID 4768 wrote to memory of 2720 4768 Quotation-GINC-19-00204.exe 90 PID 2720 wrote to memory of 3948 2720 Quotation-GINC-19-00204.exe 96 PID 2720 wrote to memory of 3948 2720 Quotation-GINC-19-00204.exe 96 PID 2720 wrote to memory of 3948 2720 Quotation-GINC-19-00204.exe 96 PID 3948 wrote to memory of 1044 3948 cmd.exe 98 PID 3948 wrote to memory of 1044 3948 cmd.exe 98 PID 3948 wrote to memory of 1044 3948 cmd.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation-GINC-19-00204.exe"C:\Users\Admin\AppData\Local\Temp\Quotation-GINC-19-00204.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Users\Admin\AppData\Local\Temp\Quotation-GINC-19-00204.exe"C:\Users\Admin\AppData\Local\Temp\Quotation-GINC-19-00204.exe"2⤵
- Checks computer location settings
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Quotation-GINC-19-00204.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 34⤵
- System Location Discovery: System Language Discovery
PID:1044
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD534442e1e0c2870341df55e1b7b3cccdc
SHA199b2fa21aead4b6ccd8ff2f6d3d3453a51d9c70c
SHA256269d232712c86983336badb40b9e55e80052d8389ed095ebf9214964d43b6bb1
SHA5124a8c57fb12997438b488b862f3fc9dc0f236e07bb47b2bce6053dcb03ac7ad171842f02ac749f02dda4719c681d186330524cd2953d33cb50854844e74b33d51
-
Filesize
726B
MD5494254afe484cb2a9846dd9982017355
SHA11c4e61a24041dc8acffe778a81ebbb1cfd76a18d
SHA25660b1692d995fb102bbd864cd082e8703ec3151df4fcdae2526c6e133e15a19dd
SHA512d8bd73c7809fd9365db9590ddd11f453c746f957ae096ca9da7fd5c7892ff77d9eeb06ee85a20aa84688ad5460c960ffdc54b0dd14534a89ede5c4ec9315a5ee