Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2024, 01:49
Static task
static1
Behavioral task
behavioral1
Sample
c108c9f1c3c725b221c947df56589449e367a112cc443b4fca8f1b53ec7412c3.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c108c9f1c3c725b221c947df56589449e367a112cc443b4fca8f1b53ec7412c3.exe
Resource
win10v2004-20241007-en
General
-
Target
c108c9f1c3c725b221c947df56589449e367a112cc443b4fca8f1b53ec7412c3.exe
-
Size
1.0MB
-
MD5
64250fbc0c8194727c46f0a4ab569139
-
SHA1
9f08f52161a6870763b7beae581524f41e4260cb
-
SHA256
c108c9f1c3c725b221c947df56589449e367a112cc443b4fca8f1b53ec7412c3
-
SHA512
55f534333a39b36b5e99f551c286282bba7ce346c91014cd42b520471f86dcc5cb4c2681ce6a0e02224f2ae6970fa5d32294ee63839b4a6521914ced8dba0ee4
-
SSDEEP
24576:o5EmXFtKaL4/oFe5T9yyXYfP1ijXdamU3JupouR+:oPVt/LZeJbInQRam9
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
smtp.skagenships.com - Port:
587 - Username:
[email protected] - Password:
XAqEAz@4
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
resource yara_rule behavioral2/memory/3412-7-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2984 set thread context of 3412 2984 c108c9f1c3c725b221c947df56589449e367a112cc443b4fca8f1b53ec7412c3.exe 86 -
Program crash 1 IoCs
pid pid_target Process procid_target 4960 2984 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c108c9f1c3c725b221c947df56589449e367a112cc443b4fca8f1b53ec7412c3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3412 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2984 c108c9f1c3c725b221c947df56589449e367a112cc443b4fca8f1b53ec7412c3.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3412 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2984 c108c9f1c3c725b221c947df56589449e367a112cc443b4fca8f1b53ec7412c3.exe 2984 c108c9f1c3c725b221c947df56589449e367a112cc443b4fca8f1b53ec7412c3.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2984 c108c9f1c3c725b221c947df56589449e367a112cc443b4fca8f1b53ec7412c3.exe 2984 c108c9f1c3c725b221c947df56589449e367a112cc443b4fca8f1b53ec7412c3.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2984 wrote to memory of 3412 2984 c108c9f1c3c725b221c947df56589449e367a112cc443b4fca8f1b53ec7412c3.exe 86 PID 2984 wrote to memory of 3412 2984 c108c9f1c3c725b221c947df56589449e367a112cc443b4fca8f1b53ec7412c3.exe 86 PID 2984 wrote to memory of 3412 2984 c108c9f1c3c725b221c947df56589449e367a112cc443b4fca8f1b53ec7412c3.exe 86 PID 2984 wrote to memory of 3412 2984 c108c9f1c3c725b221c947df56589449e367a112cc443b4fca8f1b53ec7412c3.exe 86 PID 3412 wrote to memory of 4976 3412 RegSvcs.exe 90 PID 3412 wrote to memory of 4976 3412 RegSvcs.exe 90 PID 3412 wrote to memory of 4976 3412 RegSvcs.exe 90 PID 4976 wrote to memory of 5104 4976 cmd.exe 92 PID 4976 wrote to memory of 5104 4976 cmd.exe 92 PID 4976 wrote to memory of 5104 4976 cmd.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\c108c9f1c3c725b221c947df56589449e367a112cc443b4fca8f1b53ec7412c3.exe"C:\Users\Admin\AppData\Local\Temp\c108c9f1c3c725b221c947df56589449e367a112cc443b4fca8f1b53ec7412c3.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\c108c9f1c3c725b221c947df56589449e367a112cc443b4fca8f1b53ec7412c3.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 34⤵
- System Location Discovery: System Language Discovery
PID:5104
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 6962⤵
- Program crash
PID:4960
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2984 -ip 29841⤵PID:4268