Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
19-11-2024 05:15
Static task
static1
Behavioral task
behavioral1
Sample
acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe
Resource
win10v2004-20241007-en
General
-
Target
acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe
-
Size
531KB
-
MD5
07ee6bc3f0ca6f6a5b7d0b9824a79cbf
-
SHA1
3701b4dc923b624576038d327753580f768cfae0
-
SHA256
acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2
-
SHA512
5b90d27ca78c37aa7fd11ef225bf51a49be067c3d1c54b849b43d6f7d4902419cd769f6a42ea7166cab9624ec8ec6c9a90e24a763a866c4adb1ff7b1d8833428
-
SSDEEP
12288:GAj/s0yek+BBlUVh+Z0D8MWoftBOMTCD8ztwerE6H1nN:5a07UtYAFJe9qZ
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot7854764352:AAGsvrx8n7ByYi4c9ksbK9NcQWi81dzmeE8/sendMessage?chat_id=7894030394
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
resource yara_rule behavioral1/memory/2864-31-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2864-29-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2864-28-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2864-25-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2864-23-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Snakekeylogger family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2944 powershell.exe 2848 powershell.exe -
Deletes itself 1 IoCs
pid Process 1584 cmd.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1956 set thread context of 2864 1956 acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe 37 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2816 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2864 acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe 2848 powershell.exe 2944 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2864 acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe Token: SeDebugPrivilege 2848 powershell.exe Token: SeDebugPrivilege 2944 powershell.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1956 wrote to memory of 2944 1956 acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe 31 PID 1956 wrote to memory of 2944 1956 acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe 31 PID 1956 wrote to memory of 2944 1956 acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe 31 PID 1956 wrote to memory of 2944 1956 acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe 31 PID 1956 wrote to memory of 2848 1956 acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe 33 PID 1956 wrote to memory of 2848 1956 acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe 33 PID 1956 wrote to memory of 2848 1956 acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe 33 PID 1956 wrote to memory of 2848 1956 acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe 33 PID 1956 wrote to memory of 2816 1956 acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe 34 PID 1956 wrote to memory of 2816 1956 acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe 34 PID 1956 wrote to memory of 2816 1956 acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe 34 PID 1956 wrote to memory of 2816 1956 acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe 34 PID 1956 wrote to memory of 2864 1956 acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe 37 PID 1956 wrote to memory of 2864 1956 acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe 37 PID 1956 wrote to memory of 2864 1956 acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe 37 PID 1956 wrote to memory of 2864 1956 acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe 37 PID 1956 wrote to memory of 2864 1956 acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe 37 PID 1956 wrote to memory of 2864 1956 acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe 37 PID 1956 wrote to memory of 2864 1956 acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe 37 PID 1956 wrote to memory of 2864 1956 acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe 37 PID 1956 wrote to memory of 2864 1956 acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe 37 PID 2864 wrote to memory of 1584 2864 acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe 38 PID 2864 wrote to memory of 1584 2864 acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe 38 PID 2864 wrote to memory of 1584 2864 acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe 38 PID 2864 wrote to memory of 1584 2864 acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe 38 PID 1584 wrote to memory of 1508 1584 cmd.exe 40 PID 1584 wrote to memory of 1508 1584 cmd.exe 40 PID 1584 wrote to memory of 1508 1584 cmd.exe 40 PID 1584 wrote to memory of 1508 1584 cmd.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe"C:\Users\Admin\AppData\Local\Temp\acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fVPvzzxLd.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fVPvzzxLd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3BE8.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2816
-
-
C:\Users\Admin\AppData\Local\Temp\acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe"C:\Users\Admin\AppData\Local\Temp\acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2.exe"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 34⤵
- System Location Discovery: System Language Discovery
PID:1508
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5761890871f305c9c664ddd84185e6c24
SHA144cd782dbfde2d7435f406b2e101e4b521b2f2f8
SHA256013e617a1d3db2bcf6d2b298be83131d363473bf19168daac2670aea527bacf2
SHA512977f307ea1cf4c32731610a17aef132c2a7dd02f34b4cc14460fc82f68c69feb35d9238ea21129e75eee481ef6b463153e8d7b3d92255a6fd70170f3ba10152b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD526a8495ee501a28ad56fc015b0f06159
SHA1889b4f55e91dcd048296e86d125dbaa645a9e1b1
SHA256b8454788dd4de48968b40f8a5e61a294426d7b9bbb2faa48edaa1c082f714c63
SHA512bbc2af652968ecad958ae1004a4d0092042235aa69d628c6c9eb3f7ac080c8a573ea7e862cee3de6587c35d6f90fc48ca9d6da3ecc19a8506e0a2c1795d4bec5