Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
70s -
max time network
75s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2024, 18:18
Static task
static1
Behavioral task
behavioral1
Sample
1bad301dc6bc6e3ebda9398dc725cc09.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
1bad301dc6bc6e3ebda9398dc725cc09.exe
Resource
win10v2004-20241007-en
General
-
Target
1bad301dc6bc6e3ebda9398dc725cc09.exe
-
Size
955KB
-
MD5
1bad301dc6bc6e3ebda9398dc725cc09
-
SHA1
f0bd08347b10015e8fb5b3947ac5ed29c76bf3b0
-
SHA256
b6d1c9c00367ad125a2a658201e70bbe8fb02890e29d1d595e6d1a5755220e99
-
SHA512
e5c833c046d1648dcd53ee6009317940953448d8db6fe086e3c38a4afd299b66b249cb7549f15db30240f5ba95a3fafc4042432197547b92af23c8476f8a6b98
-
SSDEEP
12288:oAMOc+aZoNhChWtbK45UvSmG9D1TAk44idXvR8KahaHR:gZKCebJUamQN4i+R
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
smtp.vivaldi.net - Port:
587 - Username:
[email protected] - Password:
5555chibuike - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
resource yara_rule behavioral2/memory/392-15-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 1bad301dc6bc6e3ebda9398dc725cc09.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 40 checkip.dyndns.org 42 freegeoip.app 43 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 640 set thread context of 392 640 1bad301dc6bc6e3ebda9398dc725cc09.exe 99 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1896 392 WerFault.exe 99 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bad301dc6bc6e3ebda9398dc725cc09.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1712 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 640 1bad301dc6bc6e3ebda9398dc725cc09.exe 392 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 640 1bad301dc6bc6e3ebda9398dc725cc09.exe Token: SeDebugPrivilege 392 RegSvcs.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 640 wrote to memory of 1712 640 1bad301dc6bc6e3ebda9398dc725cc09.exe 97 PID 640 wrote to memory of 1712 640 1bad301dc6bc6e3ebda9398dc725cc09.exe 97 PID 640 wrote to memory of 1712 640 1bad301dc6bc6e3ebda9398dc725cc09.exe 97 PID 640 wrote to memory of 392 640 1bad301dc6bc6e3ebda9398dc725cc09.exe 99 PID 640 wrote to memory of 392 640 1bad301dc6bc6e3ebda9398dc725cc09.exe 99 PID 640 wrote to memory of 392 640 1bad301dc6bc6e3ebda9398dc725cc09.exe 99 PID 640 wrote to memory of 392 640 1bad301dc6bc6e3ebda9398dc725cc09.exe 99 PID 640 wrote to memory of 392 640 1bad301dc6bc6e3ebda9398dc725cc09.exe 99 PID 640 wrote to memory of 392 640 1bad301dc6bc6e3ebda9398dc725cc09.exe 99 PID 640 wrote to memory of 392 640 1bad301dc6bc6e3ebda9398dc725cc09.exe 99 PID 640 wrote to memory of 392 640 1bad301dc6bc6e3ebda9398dc725cc09.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\1bad301dc6bc6e3ebda9398dc725cc09.exe"C:\Users\Admin\AppData\Local\Temp\1bad301dc6bc6e3ebda9398dc725cc09.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IpjwODDiZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3CA6.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1712
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:392 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 17523⤵
- Program crash
PID:1896
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 392 -ip 3921⤵PID:2736
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e31f46c1e1310ec57a02c51f22de15ce
SHA1a5bea4a33341a1284c46263253f70dfdd9d46aa2
SHA2560e6d647e8ea89e71ed9d3c63e0d3256f8f4c32b6644681af0159b141830c075d
SHA512374204ad01549f7da7e6dff4af992f2b7333c7b16ddb53fbdf0052a83427adb80257cec5eca09dd75ba173f1ba02412c47d0c4602cb0c97cbef5484c7323b192