Overview

overview

10

Static

static

3

Bank trans...15.exe

windows7-x64

10

Bank trans...15.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25-10-2024 14:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bank transfer receipt 241015.exe

  • Size

    499KB

  • MD5

    a56e9ac0bdfb2994a47cff685f5082a8

  • SHA1

    855fef6a65caf563685f757a11b653a43472e4be

  • SHA256

    1546c45496290063818a4e24b240aa8cd88c8023dccb2876706a569a0359be9e

  • SHA512

    97bb5879e5a1be00eb980a5e51a6caa69fa4e5731e377236c4abf3b9cdaa7a5ef0b3040feb468c219e80ad42b49049f0fb74d3843bf896a4d23a947804a73342

  • SSDEEP

    12288:62UScVclz+IuSqKixs7p2JYQE3Pu98rxG6ortJ6zdhp:6UcVuSpW/3RN

Score
10/10
snakekeyloggerdiscoveryexecutionkeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7952998151:AAFh98iY7kaOlHAR0qftD3ZcqGbQm0TXbBY/sendMessage?chat_id=5692813672

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 5 IoCs
  • Snakekeylogger family
    snakekeylogger
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Deletes itself 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bank transfer receipt 241015.exe
    "C:\Users\Admin\AppData\Local\Temp\Bank transfer receipt 241015.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2568
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Bank transfer receipt 241015.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2296
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vYxHVdr.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2916
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vYxHVdr" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF612.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2784
    • C:\Users\Admin\AppData\Local\Temp\Bank transfer receipt 241015.exe
      "C:\Users\Admin\AppData\Local\Temp\Bank transfer receipt 241015.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2856
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Bank transfer receipt 241015.exe"
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1888
        • C:\Windows\SysWOW64\choice.exe
          choice /C Y /N /D Y /T 3
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2616

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpF612.tmp
    Filesize

    1KB

    MD5

    7c0b5cd9efe80a8913d3725bcdd21414

    SHA1

    00162bcea92d116ad2a9f14eaa00b528cdaba788

    SHA256

    2518a756656c93d55b8c1653b26f458597f6298af0eefdeed880717cfa9bdb9f

    SHA512

    63c9b8b1a09e7d0dff5a257bf7bd274499db6d02fd57e658f8b39c4ef6f57d410c761c9763da88a57b02da11e24e8edf020e926089e4a35bae7b13f8e426f4fe

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KCCXUPK4DJ7427ZH2OD9.temp
    Filesize

    7KB

    MD5

    4d9480fc14da12f721b25115bf4bce49

    SHA1

    e151ad648402e41b45f2e8218cd1c784c33edbbc

    SHA256

    3b2e29b3d5266d5105291042e17bc6dde4032ba9b5c82177c908dbfed1f81404

    SHA512

    fe6bc3381f61a25b597591f8d9d94d25bd6dc5f9e7d5e33772530691244f66bebfc2b6ffc39f8e025adfc17a68be9905092d09c4bbe1461a2b43d068b207f579

    Download Submit

  • memory/2568-4-0x000000007402E000-0x000000007402F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2568-32-0x0000000074020000-0x000000007470E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2568-0-0x000000007402E000-0x000000007402F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2568-5-0x0000000074020000-0x000000007470E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2568-6-0x0000000005270000-0x00000000052D8000-memory.dmp

    Filesize

    416KB

    Download

  • memory/2568-2-0x0000000074020000-0x000000007470E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2568-1-0x0000000000E10000-0x0000000000E94000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2568-3-0x0000000000270000-0x0000000000282000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2856-31-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2856-28-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2856-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2856-25-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2856-23-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2856-21-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2856-19-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2856-29-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download