Resubmissions

10-11-2024 21:28

241110-1bhk6avgrr 10

Analysis

  • max time kernel
    62s
  • max time network
    104s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • submitted
    10-11-2024 21:28

General

  • Target

    0296e49137a482b7db3bed7fe16c5ad20b083b20a8ce56b6c42309fff94d50b6.exe

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5542941782:AAFlsn_FCfYT7D_ZthXK_Udd4a15AE58_Wg/sendMessage?chat_id=2054148913

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

  • Snake Keylogger payload 5 IoCs
  • Snakekeylogger family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0296e49137a482b7db3bed7fe16c5ad20b083b20a8ce56b6c42309fff94d50b6.exe
    "C:\Users\Admin\AppData\Local\Temp\0296e49137a482b7db3bed7fe16c5ad20b083b20a8ce56b6c42309fff94d50b6.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pfERLUVCmPr.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2796
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pfERLUVCmPr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2491.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2716
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2864
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 1068
        3⤵
        • Program crash
        PID:1804

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp2491.tmp

    Filesize

    1KB

    MD5

    9ab60d0c8878057b103b4ebe5f99a281

    SHA1

    83d5e98718dafa6655c14f509e6098a60bc18aee

    SHA256

    54b80847f4ee42ad9e45b154cef0a8cd148f760c3203181601214c2fa1884540

    SHA512

    d0a3e72628f35e1b9054553c0fc6a4f53c879c29bc2a99e103b0aeecbb58aa56e410fff73bc7c940168c4506076147928052a309c9416336f8e5e95fa69719bc

  • memory/2208-4-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

    Filesize

    4KB

  • memory/2208-3-0x0000000000D90000-0x0000000000DA6000-memory.dmp

    Filesize

    88KB

  • memory/2208-15-0x0000000004AD0000-0x0000000004AF6000-memory.dmp

    Filesize

    152KB

  • memory/2208-0-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

    Filesize

    4KB

  • memory/2208-5-0x0000000074B30000-0x000000007521E000-memory.dmp

    Filesize

    6.9MB

  • memory/2208-6-0x0000000000620000-0x000000000062C000-memory.dmp

    Filesize

    48KB

  • memory/2208-7-0x0000000004B30000-0x0000000004B90000-memory.dmp

    Filesize

    384KB

  • memory/2208-1-0x0000000000FA0000-0x000000000106C000-memory.dmp

    Filesize

    816KB

  • memory/2208-28-0x0000000074B30000-0x000000007521E000-memory.dmp

    Filesize

    6.9MB

  • memory/2208-2-0x0000000074B30000-0x000000007521E000-memory.dmp

    Filesize

    6.9MB

  • memory/2864-25-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/2864-27-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/2864-26-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/2864-24-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

  • memory/2864-18-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/2864-22-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/2864-20-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/2864-17-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB