Overview

overview

10

Static

static

3

SEM2024000002383.exe

windows7-x64

8

SEM2024000002383.exe

windows10-2004-x64

10

Synligstes84.ps1

windows7-x64

3

Synligstes84.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-10-2024 16:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SEM2024000002383.exe

  • Size

    748KB

  • MD5

    06fa51d68f2545f28a2b942b01a4bb13

  • SHA1

    74fb1ce042c1982155d6d190b446dd429c7ad463

  • SHA256

    fb79dfe6e2eebbe7882d3e688ff377c3ffcfc8d41f35e1af16f224846f4fab5b

  • SHA512

    a11d5b3fccfc2cf03913903382b2521b609bd2d798d50e6b151c8a88f1cb835456e0f1ace18c50037de6b93c656f51b88e783fb42b80b38fd3be0d772cc5c773

  • SSDEEP

    12288:jG6QMVyGP0Fx53cAA0jGnheowOyGOs61IYZVAecgs9FMa1Mdq8jJM:jG6QtGP0OhsGnheowDGMIYO7MoOM

Score
10/10
snakekeyloggercollectiondiscoveryexecutionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7840943707:AAFvjApaxzyzfiy9tTVH4n-N6k-rIeMo504/sendMessage?chat_id=2129508827

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SEM2024000002383.exe
    "C:\Users\Admin\AppData\Local\Temp\SEM2024000002383.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4504
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Woodwaxen=Get-Content -raw 'C:\Users\Admin\AppData\Local\Temp\superincomprehensible\Synligstes84.Hig';$Fragtvogne=$Woodwaxen.SubString(6209,3);.$Fragtvogne($Woodwaxen)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Users\Admin\AppData\Local\Temp\sparekassebestyrere.exe
        "C:\Users\Admin\AppData\Local\Temp\sparekassebestyrere.exe"
        3⤵
        • Loads dropped DLL
        • Accesses Microsoft Outlook profiles
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:2476
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Woodwaxen=Get-Content -raw 'C:\Users\Admin\AppData\Local\Temp\superincomprehensible\Synligstes84.Hig';$Fragtvogne=$Woodwaxen.SubString(6209,3);.$Fragtvogne($Woodwaxen)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4052
      • C:\Users\Admin\AppData\Local\Temp\sparekassebestyrere.exe
        "C:\Users\Admin\AppData\Local\Temp\sparekassebestyrere.exe"
        3⤵
        • Loads dropped DLL
        • Accesses Microsoft Outlook profiles
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4852

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199
    Filesize

    854B

    MD5

    e935bc5762068caf3e24a2683b1b8a88

    SHA1

    82b70eb774c0756837fe8d7acbfeec05ecbf5463

    SHA256

    a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

    SHA512

    bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
    Filesize

    1KB

    MD5

    43832069d8f03a5d73dc278fae3b35ea

    SHA1

    ff26203bf08efd341b9b7af5a691e6f3abd84822

    SHA256

    1e471a8afb34a6896632c7930b04f0aa6771aece3c7c97e270da8ab55970fb6f

    SHA512

    c66445de1b855578da64212bcd649fdfe0ab3ce43c6635614779f1ca656cb732458eac03e6a3119cb6aa3728ca85b791da68f1a9a2ab4b33b338f7bd89f7b194

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_B60DAD4239F8DBB7FDA230724F9F9DFD
    Filesize

    471B

    MD5

    55dd21411f214fc63eeacc240a6e8b61

    SHA1

    11374ef319aa8627dd65619e6e6f4886c6124bb7

    SHA256

    6b82653fabdf71adbeb51838b98136533d47c77991d73da6318d4fae61f0b0f5

    SHA512

    d6f585d48b85a45588f7ad4b24e0fe2a5894ea395b593fb9bb1f50644f3857bd25f8ba4b2aa370b9ed9e568b7bf6dce115cb9577ede452a9a8548d656cca55a5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_3459237E893F04A4596206DC25825D64
    Filesize

    472B

    MD5

    bac80766bb58bd773b103a4901553ec8

    SHA1

    a70d9baf9bad99c2dc5b7c2651a7c37e676ff6b5

    SHA256

    8df55918cdbd2a47e6e3d059a8d81619347b7d251bf30cf93ad73820e3a9e6ea

    SHA512

    91796008239d01776728ac888f35a8cf9d85ff0d4c5e848b0dfba8b2be914b7c92378c9bf3928fc325dc7bcb46ebcf492deaf7776aee3421e5abf7acdebdc060

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
    Filesize

    170B

    MD5

    7f646a9724e29069c06cca20f5cff4e3

    SHA1

    23f8c05f0ca8c25e0ee1fe1b81c9ce83fc919eb5

    SHA256

    027e0b82257121180eaa9d61e53b6973173e4ccc3f118309d0344b4176ce770c

    SHA512

    357828881d262045788113f5cedd2361a7f8d84fd4a6454070b3e75da905538eb529b675d9c5a5ddcfa6359dec1c21e5d0cd004c4f633cad7a2fb44c9f7687dd

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
    Filesize

    410B

    MD5

    7c904444bb801e3bed7c479a4e03dd73

    SHA1

    ab6e49be103e59609f9d8158edcb866f091b0cbe

    SHA256

    8c5e3dd5ecbc09a24d5e90c5c0e4aa2ab3d5667757305af54cf33d0330980153

    SHA512

    b82f330740e260899d2de6e83e5469e7ce394de602814b0f7e4ab17a88be23cfeb06bf049cf160330baeb3e95f996f0000d9b43c4323932ab84f929255ef2380

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
    Filesize

    410B

    MD5

    1bfaaedb8fd209f88294390206357ec5

    SHA1

    d3b73f1a85991b8215d57b3851d1697f0c154934

    SHA256

    763b6a00e459205aa9f832c19ba99d1b7520e9ec4023a4f8c34a6582f4ee6051

    SHA512

    f6e7b01b10501c797e1f522f57110f508a77d2919541496e0131c1715b0987cd439360398d2862fe3601279efc3ee230279a0428a7dcce2927138e1e30ac8536

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_B60DAD4239F8DBB7FDA230724F9F9DFD
    Filesize

    406B

    MD5

    8a513305673aac77269c36b9835b4fb3

    SHA1

    5effe6a6400ee1ac40079b9675f1f41752ad4304

    SHA256

    111cd6a1ff4c5e23b0cfac1c25cd0ac0e0322a3d7e27e28915acccb67b2238a7

    SHA512

    29c437bae63e3c591c3235f3507489d3c9bba510848e89bd202274f240fb0318a39d61e69f048fdf3b43223b6fee89b0d23e89e4b7ef0f22df787cfb1e1a7ae1

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_3459237E893F04A4596206DC25825D64
    Filesize

    402B

    MD5

    25020628e1fddf79b469088c7b04b153

    SHA1

    56a664315d5ca616b7ca2cf18d169dce8fc1823a

    SHA256

    a894ac36e721cb07a354b7fe20ff4c8e570e9a993e40c8b25a7af211ff82c33c

    SHA512

    d4577e631a7a8e97309b0034c589471244c6888aedcff085e47e081f51b8bc1c23b110715a488d48b1ed6501d9222e23f47b8bc2eed2fdc252ce4b8129a1181a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    Filesize

    53KB

    MD5

    01404e51f6442f60e478c306b1e6e52e

    SHA1

    37f234ccf5611b8309023410ceb9e76ad81f5678

    SHA256

    d4356dd23aa2e811712132f9718786331661a1bd0d062c49cb76807b9563928b

    SHA512

    94a9d843ae4055e2a9b412f03cba85e2d7b804ec3106f059d14ca50b15ae4acc6cd452f9461c2e21d1632d06848c969732c539aea17869b8b3a2f5ab93b891d7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gm03zspx.0we.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\sparekassebestyrere.exe
    Filesize

    748KB

    MD5

    06fa51d68f2545f28a2b942b01a4bb13

    SHA1

    74fb1ce042c1982155d6d190b446dd429c7ad463

    SHA256

    fb79dfe6e2eebbe7882d3e688ff377c3ffcfc8d41f35e1af16f224846f4fab5b

    SHA512

    a11d5b3fccfc2cf03913903382b2521b609bd2d798d50e6b151c8a88f1cb835456e0f1ace18c50037de6b93c656f51b88e783fb42b80b38fd3be0d772cc5c773

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\superincomprehensible\Artiskokkerne.Pol
    Filesize

    306KB

    MD5

    e722a2a3f5a340e2b87e12ec6a1f33a5

    SHA1

    b0c047440e053e3ec01d6d94cc1f21663294dd27

    SHA256

    4c2064e7a4e41fe147b87eb6e298bb93133b9b2334d143a1b18ec5758ac487fc

    SHA512

    a8359b0abc35dd980cda9a117ed85bc622df00ad827c0afa7c185270869404fbcc4e43c8640b1c5aee1f4048c100d375372bbc80410fecf747f2717ff266a26a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\superincomprehensible\Synligstes84.Hig
    Filesize

    53KB

    MD5

    453a8e6a5068ae5a2e5d99de31a13b3b

    SHA1

    9f202a5b9a8cf1ae90030e14ea99c4e787338ede

    SHA256

    4ac6b7ddcc88b43191a8e1329e632c3246b10dcd077b1e79efa2f0559cafa7f6

    SHA512

    37b6296b2434b1791d7e709d17cd8bcce6d8111505648b63227e1004461de31d07922497ed80be4e6ab115ece2964394cf6a3c1b26725a3da2fa0bb3cf7cac46

    Download Submit

  • memory/2716-38-0x0000000006D30000-0x0000000006D52000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2716-12-0x0000000006190000-0x00000000061F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2716-39-0x0000000007EA0000-0x0000000008444000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2716-37-0x0000000006C90000-0x0000000006CAA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2716-41-0x0000000008AD0000-0x000000000914A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2716-44-0x000000006FF10000-0x0000000070264000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2716-55-0x0000000073910000-0x00000000740C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2716-7-0x00000000051F0000-0x0000000005226000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2716-68-0x0000000073910000-0x00000000740C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2716-56-0x0000000007C60000-0x0000000007D03000-memory.dmp

    Filesize

    652KB

    Download

  • memory/2716-69-0x0000000007D70000-0x0000000007D7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2716-54-0x0000000007C30000-0x0000000007C4E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2716-9-0x0000000005950000-0x0000000005F78000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2716-43-0x000000006FDA0000-0x000000006FDEC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2716-42-0x0000000007BF0000-0x0000000007C22000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2716-8-0x0000000073910000-0x00000000740C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2716-71-0x0000000073910000-0x00000000740C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2716-10-0x0000000006010000-0x0000000006032000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2716-11-0x00000000060B0000-0x0000000006116000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2716-36-0x0000000007850000-0x00000000078E6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2716-78-0x0000000073910000-0x00000000740C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2716-77-0x000000007391E000-0x000000007391F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2716-6-0x000000007391E000-0x000000007391F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2716-80-0x0000000073910000-0x00000000740C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2716-22-0x0000000006300000-0x0000000006654000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2716-23-0x00000000067A0000-0x00000000067BE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2716-83-0x0000000009150000-0x000000000ECAB000-memory.dmp

    Filesize

    91.4MB

    Download

  • memory/2716-84-0x0000000073910000-0x00000000740C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2716-86-0x0000000073910000-0x00000000740C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2716-24-0x00000000067F0000-0x000000000683C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2716-88-0x0000000073910000-0x00000000740C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2716-94-0x0000000073910000-0x00000000740C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4052-70-0x0000000073910000-0x00000000740C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4052-58-0x000000006FF10000-0x0000000070264000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4052-25-0x0000000073910000-0x00000000740C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4052-82-0x0000000073910000-0x00000000740C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4052-81-0x0000000073910000-0x00000000740C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4052-26-0x0000000073910000-0x00000000740C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4052-73-0x0000000007AE0000-0x0000000007B04000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4052-72-0x0000000005130000-0x000000000515A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4052-87-0x0000000073910000-0x00000000740C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4052-97-0x0000000073910000-0x00000000740C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4052-57-0x000000006FDA0000-0x000000006FDEC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4852-142-0x0000000026740000-0x000000002674A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4852-135-0x0000000000470000-0x0000000000496000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4852-133-0x0000000000470000-0x00000000016C4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4852-136-0x00000000257C0000-0x000000002585C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4852-139-0x00000000260F0000-0x0000000026140000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4852-140-0x00000000264A0000-0x0000000026662000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4852-141-0x0000000026670000-0x0000000026702000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4852-124-0x0000000000470000-0x00000000016C4000-memory.dmp

    Filesize

    18.3MB

    Download