Overview

overview

10

Static

static

3

dg_official01.exe

windows11-21h2-x64

10

Snedkerere...es.ps1

windows11-21h2-x64

8

Analysis

  • max time kernel
    293s
  • max time network
    287s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    14-10-2024 16:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dg_official01.exe

  • Size

    1.2MB

  • MD5

    0917521cc67bbfe0c07339e4cb57bfef

  • SHA1

    a64298b28158d971c31ba99cd433c350469c1fde

  • SHA256

    551beb58227242af1168e2402b49bf1a6505840485fad5d618c0f9c251e4af9e

  • SHA512

    63ff71f9e8a344063ca24352d630f7e63f21a7bf72743d91a6c255e35369cbf5beaaf5057a5a33a54447e50710e150344f2d3b11e89b6ea4e4de742efff32602

  • SSDEEP

    24576:voqqHmQ2mlKpHrTguAVspHkvGGnAR9A78bVKN4aR0H6EVzRZbbk5c+Gt:voZmQ7yLVAVspEvGmS40VKWaRItb0cjt

Score
10/10
snakekeyloggercollectiondiscoveryexecutionkeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
    collection
  • Blocklisted process makes network request 13 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dg_official01.exe
    "C:\Users\Admin\AppData\Local\Temp\dg_official01.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3648
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Oplgningen=Get-Content -raw 'C:\Users\Admin\AppData\Local\Temp\carinal\Coracosteon\Snedkererede\Sabbataftenernes.Feo';$Monanthous=$Oplgningen.SubString(56405,3);.$Monanthous($Oplgningen)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4280
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\SysWOW64\msiexec.exe"
        3⤵
        • Accesses Microsoft Outlook profiles
        • Blocklisted process makes network request
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:1124
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Oplgningen=Get-Content -raw 'C:\Users\Admin\AppData\Local\Temp\carinal\Coracosteon\Snedkererede\Sabbataftenernes.Feo';$Monanthous=$Oplgningen.SubString(56405,3);.$Monanthous($Oplgningen)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1760
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\SysWOW64\msiexec.exe"
        3⤵
        • Accesses Microsoft Outlook profiles
        • Blocklisted process makes network request
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:660

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199
    Filesize

    854B

    MD5

    e935bc5762068caf3e24a2683b1b8a88

    SHA1

    82b70eb774c0756837fe8d7acbfeec05ecbf5463

    SHA256

    a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

    SHA512

    bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
    Filesize

    1KB

    MD5

    a60e714bbc7342d72ecaba877225a242

    SHA1

    2ec698e458730921272e7487daad848ec39da21c

    SHA256

    672361f366b811764ab5d3623f694df5bb2e9584efc70dec50eab5c714f03af4

    SHA512

    ebaad070eef834528f34c2faf72bb797f8dbea67860776349ee8a2d4bc204525274e8249127dbdded91d8f94b0c3ef51f4088c10356a0586eb830274d3aef878

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6DA548C7E5915679F87E910D6581DEF1_831B21EC05D416A4ADB2370CD79ABCDD
    Filesize

    471B

    MD5

    7e875f2cb7b89ba1b226013077dfb15d

    SHA1

    73b0e2e58db1b69f8990f338ce345d715c61bce8

    SHA256

    65d19464d58220efb19ef3fff1e8a971db450c9292fe668ad21fb899a25c623c

    SHA512

    c5098ac7d79a0c8e105fb44fecf5c4c2c4ce2bec9d2abb0073a81a3a4517f6a4097711719dc74f15011613aad9f2955cf0a738b3bb3f73f133a211c7ee86c75d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_CFDBFDB29AA6A71EBDC3E04CD6E276F4
    Filesize

    472B

    MD5

    1ad4491483b9980f4608a7923ebb364e

    SHA1

    6d1e66da4d76f5d1c045cad25499223454a0e722

    SHA256

    51906193c0a4e8d70ecc05d0b224dd57f2b13f8a3dc49258b860edee74617e21

    SHA512

    2c31e6dc4c5bc7af5090dc544e0501c97dfd945d6f46feeb98f59aba86a54d27a7b10c46f98a52737cac2b245f0b64fc6c475b9adadc9792f0b7b73a64c2303a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
    Filesize

    170B

    MD5

    58322c3262e4698c78d97d7be66c7096

    SHA1

    8ddb3531ee3ca634289511eb8932b900da7ebe22

    SHA256

    68d2542295edd46dda02dac288f69b2e9366723b7eed080c486b4f1e8c82fd99

    SHA512

    150c62cea267e25acc612733fa3acf8d28ad0c3688f97c0b034293715549e53278ec9646047ca20905b10ae78c621e66cb05df6af0a87373c2e73ffb51f6cd47

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
    Filesize

    410B

    MD5

    6ab27fbd10997735eda6f2ab764ee1f2

    SHA1

    34959aa1610def04d3b3a55e4a3891bdbc69e444

    SHA256

    2933007671edaf48af6908ec6965c5cf4cd7c9f9677d0e220cf64f32af73e843

    SHA512

    39381889df75fee955c3a24eea34baff0e6e60259fa44de6154a092f0ea6777d4bb9f747b531686d9dbdcfdae78b83bf0ead22019857c92a68af8906e5afe3be

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6DA548C7E5915679F87E910D6581DEF1_831B21EC05D416A4ADB2370CD79ABCDD
    Filesize

    402B

    MD5

    01db4d1375551920f614447b43d1c77d

    SHA1

    9d7ca6c0d10f5b3d43b6bf0bda240adfd48774f9

    SHA256

    2c22a0cea9822bbba47ce3a08bbf900109610a3890d32872e7828f73590fb3c2

    SHA512

    f15939a9d245131bdaecfd3c9082f27371adf691a1fea8885efe390d3628f0c63c87080b4ad439f867ecf81cd405bd9be2d0dcabd62f2a08771bd617a0e03beb

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6DA548C7E5915679F87E910D6581DEF1_831B21EC05D416A4ADB2370CD79ABCDD
    Filesize

    402B

    MD5

    157ea01913231547e21198aa4f1e0a4c

    SHA1

    d7e01f1ac1eb9243a8e692c4019e39b62a632950

    SHA256

    5c14eda5c0fc3a4fa636674303d22ce01a62d836f903bd9cd8e8bbe299352b0e

    SHA512

    230ab46434ed31043c922f24f4beab39dec34ba654fecce1dd58337d5d4bb07de2cb1cfcca8176c3d941dc0b65b29b7b8517cb5fca01cd455dc421ce5ef6acd1

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_CFDBFDB29AA6A71EBDC3E04CD6E276F4
    Filesize

    398B

    MD5

    e9e62ab6e1bf743ee13675ff07421baa

    SHA1

    76a66511d383e5358e7eef791d0468099c74b631

    SHA256

    794885261119cbb9e185872c25a7915235a4da6f2a7c754242978610734ed7d4

    SHA512

    ca7dfdb052d73ea99c17a030e3e7318ef18b9c932a0616647fa3ac77f294abffebbfb807ab12263db04a258df825cf76717f11e201739bfac3bc6df02f1fbe34

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    Filesize

    60KB

    MD5

    122cd75ff4fcb86499ab215c82f5638f

    SHA1

    2ae5eb3c48037a6da2bf1d3a182f0f192bbf5bb1

    SHA256

    73a07d478f57c7f4153e66ceee94d14be6498ef25a1735465fd773dfb17fa9cb

    SHA512

    e4d152aca71388df563a5839707811986a6ab013fdd4ee05d467b6a977d9994e6e54a42c9374419cc492a6ddf704cf60b985485053ea0159bd368722dde22a8c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ohkzhjjt.c1h.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\carinal\Coracosteon\Sikahjortene.slu
    Filesize

    308KB

    MD5

    528df18f1d49f20629b983b9e3b4eb16

    SHA1

    bffa1fe55545d3ec5d639d0f5596990dfd5dd896

    SHA256

    21073e67226511413a16dc38d52b13a0bbef8d12c36a259cbd586feea2c0fb2c

    SHA512

    ac463c08ef07594221ee55b2d70642eb6c1377feb0bf625b4aaab03a23ec9853a33a4f908474086be1f7d0286c5918664da8544f9053f61c838a371cdfa7ede7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\carinal\Coracosteon\Snedkererede\Sabbataftenernes.Feo
    Filesize

    55KB

    MD5

    621a941ec0157786a94a49cca0478957

    SHA1

    266434766d83a9a21bed71f43e606fa1575f8061

    SHA256

    adcb1457290f388885ca86da1a85e5fa2ac12f5a5c4676968f0ffc948b19afd3

    SHA512

    6367c3ccd595cd153d866df3b4025563c8382e90bde9e8640eef59dcfabbe78c5f843bbe2f5c267ba9f9f1f9d731493ed4a7ed09054bcad5835dff2edbedc9d5

    Download Submit

  • memory/660-121-0x0000000001010000-0x0000000002327000-memory.dmp

    Filesize

    19.1MB

    Download

  • memory/660-123-0x0000000026290000-0x000000002632C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/660-128-0x0000000026700000-0x0000000026750000-memory.dmp

    Filesize

    320KB

    Download

  • memory/660-129-0x0000000026F20000-0x00000000270E2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/660-130-0x0000000026DF0000-0x0000000026E82000-memory.dmp

    Filesize

    584KB

    Download

  • memory/660-131-0x0000000026750000-0x000000002675A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/660-122-0x0000000001010000-0x0000000001036000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1124-124-0x0000000000DF0000-0x0000000002107000-memory.dmp

    Filesize

    19.1MB

    Download

  • memory/1124-125-0x0000000000DF0000-0x0000000000E16000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1124-95-0x0000000000DF0000-0x0000000002107000-memory.dmp

    Filesize

    19.1MB

    Download

  • memory/1760-37-0x0000000006670000-0x000000000668A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1760-35-0x0000000006170000-0x00000000061BC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1760-8-0x0000000073530000-0x0000000073CE1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1760-10-0x0000000005370000-0x000000000599A000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1760-9-0x0000000073530000-0x0000000073CE1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1760-11-0x0000000073530000-0x0000000073CE1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1760-12-0x00000000052D0000-0x00000000052F2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1760-34-0x0000000006140000-0x000000000615E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1760-56-0x000000006FEE0000-0x000000006FF2C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1760-68-0x0000000073530000-0x0000000073CE1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1760-38-0x0000000007140000-0x0000000007162000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1760-71-0x0000000073530000-0x0000000073CE1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1760-72-0x0000000073530000-0x0000000073CE1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1760-36-0x00000000066B0000-0x0000000006746000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1760-57-0x0000000070040000-0x0000000070397000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1760-77-0x0000000073530000-0x0000000073CE1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1760-39-0x00000000077B0000-0x0000000007D56000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1760-79-0x0000000073530000-0x0000000073CE1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1760-41-0x00000000083E0000-0x0000000008A5A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1760-88-0x0000000073530000-0x0000000073CE1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1760-83-0x0000000073530000-0x0000000073CE1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4280-70-0x0000000008350000-0x0000000008374000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4280-7-0x0000000005190000-0x00000000051C6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4280-84-0x0000000073530000-0x0000000073CE1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4280-81-0x0000000008F00000-0x000000000EDC6000-memory.dmp

    Filesize

    94.8MB

    Download

  • memory/4280-54-0x0000000007A80000-0x0000000007A9E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4280-80-0x0000000073530000-0x0000000073CE1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4280-78-0x000000007353E000-0x000000007353F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4280-73-0x0000000073530000-0x0000000073CE1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4280-6-0x000000007353E000-0x000000007353F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4280-13-0x0000000006030000-0x0000000006096000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4280-89-0x0000000073530000-0x0000000073CE1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4280-55-0x0000000007AB0000-0x0000000007B54000-memory.dmp

    Filesize

    656KB

    Download

  • memory/4280-69-0x0000000007C10000-0x0000000007C3A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4280-32-0x0000000073530000-0x0000000073CE1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4280-33-0x0000000073530000-0x0000000073CE1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4280-23-0x0000000006110000-0x0000000006467000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4280-14-0x00000000060A0000-0x0000000006106000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4280-43-0x000000006FEE0000-0x000000006FF2C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4280-67-0x0000000007BD0000-0x0000000007BDA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4280-45-0x0000000070040000-0x0000000070397000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4280-44-0x0000000073530000-0x0000000073CE1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4280-66-0x0000000073530000-0x0000000073CE1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4280-42-0x0000000007A40000-0x0000000007A74000-memory.dmp

    Filesize

    208KB

    Download