Overview

overview

10

Static

static

3

acbd111f6e...e2.exe

windows7-x64

10

acbd111f6e...e2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    19/11/2024, 05:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe

  • Size

    531KB

  • MD5

    07ee6bc3f0ca6f6a5b7d0b9824a79cbf

  • SHA1

    3701b4dc923b624576038d327753580f768cfae0

  • SHA256

    acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2

  • SHA512

    5b90d27ca78c37aa7fd11ef225bf51a49be067c3d1c54b849b43d6f7d4902419cd769f6a42ea7166cab9624ec8ec6c9a90e24a763a866c4adb1ff7b1d8833428

  • SSDEEP

    12288:GAj/s0yek+BBlUVh+Z0D8MWoftBOMTCD8ztwerE6H1nN:5a07UtYAFJe9qZ

Score
10/10
snakekeyloggerdiscoveryexecutionkeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7854764352:AAGsvrx8n7ByYi4c9ksbK9NcQWi81dzmeE8/sendMessage?chat_id=7894030394

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 5 IoCs
  • Snakekeylogger family
    snakekeylogger
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Deletes itself 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe
    "C:\Users\Admin\AppData\Local\Temp\acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2944
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fVPvzzxLd.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2848
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fVPvzzxLd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3BE8.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2816
    • C:\Users\Admin\AppData\Local\Temp\acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe
      "C:\Users\Admin\AppData\Local\Temp\acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2864
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe"
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1584
        • C:\Windows\SysWOW64\choice.exe
          choice /C Y /N /D Y /T 3
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1508

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp3BE8.tmp
    Filesize

    1KB

    MD5

    761890871f305c9c664ddd84185e6c24

    SHA1

    44cd782dbfde2d7435f406b2e101e4b521b2f2f8

    SHA256

    013e617a1d3db2bcf6d2b298be83131d363473bf19168daac2670aea527bacf2

    SHA512

    977f307ea1cf4c32731610a17aef132c2a7dd02f34b4cc14460fc82f68c69feb35d9238ea21129e75eee481ef6b463153e8d7b3d92255a6fd70170f3ba10152b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    26a8495ee501a28ad56fc015b0f06159

    SHA1

    889b4f55e91dcd048296e86d125dbaa645a9e1b1

    SHA256

    b8454788dd4de48968b40f8a5e61a294426d7b9bbb2faa48edaa1c082f714c63

    SHA512

    bbc2af652968ecad958ae1004a4d0092042235aa69d628c6c9eb3f7ac080c8a573ea7e862cee3de6587c35d6f90fc48ca9d6da3ecc19a8506e0a2c1795d4bec5

    Download Submit

  • memory/1956-4-0x0000000074110000-0x00000000747FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1956-32-0x0000000074110000-0x00000000747FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1956-0-0x000000007411E000-0x000000007411F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1956-5-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1956-6-0x0000000004370000-0x00000000043DC000-memory.dmp

    Filesize

    432KB

    Download

  • memory/1956-2-0x0000000074110000-0x00000000747FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1956-1-0x0000000000300000-0x000000000038A000-memory.dmp

    Filesize

    552KB

    Download

  • memory/1956-3-0x000000007411E000-0x000000007411F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2864-31-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2864-28-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2864-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2864-25-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2864-23-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2864-21-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2864-19-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2864-29-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download