Analysis
-
max time kernel
121s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-12-2024 00:45
Static task
static1
Behavioral task
behavioral1
Sample
QUOTATION#00870.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
QUOTATION#00870.exe
Resource
win10v2004-20241007-en
General
-
Target
QUOTATION#00870.exe
-
Size
489KB
-
MD5
bcaf6fb2575efdf1334df47b0cb72622
-
SHA1
9cb5f2577cc721010eba85f06ecae540a6ddf46d
-
SHA256
5a9a4bb850b87e2e12608197e67e9f25cb2d85f802739f5d223407e10d658568
-
SHA512
353a9c4eecee8b99ec35863549a13fcaff73b8d95f6c592b1f4b356d06d67fa08466c58d3a86840615d3e3dc302d57ffebe2ae73fbe105ddaefc0aa758f94979
-
SSDEEP
12288:9roPi5P5h+KFiYudUZ0Gq8lucLcDil+s39Wo3y7NUYEUQyTzK8b6E8aFAA12:BoPizYyV0ncLsil+s39Wo6NUYhBTXb6p
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.cepro.co.in - Port:
587 - Username:
[email protected] - Password:
2018@ce#03 - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
resource yara_rule behavioral1/memory/2356-14-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2356-12-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2672-30-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2672-28-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2672-29-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Snakekeylogger family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" QUOTATION#00870.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2944 powershell.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regasm.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regasm.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regasm.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA QUOTATION#00870.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" QUOTATION#00870.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1940 set thread context of 2672 1940 QUOTATION#00870.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regasm.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2944 powershell.exe 2672 regasm.exe 2672 regasm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2944 powershell.exe Token: SeDebugPrivilege 2672 regasm.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1940 wrote to memory of 2944 1940 QUOTATION#00870.exe 32 PID 1940 wrote to memory of 2944 1940 QUOTATION#00870.exe 32 PID 1940 wrote to memory of 2944 1940 QUOTATION#00870.exe 32 PID 1940 wrote to memory of 2356 1940 QUOTATION#00870.exe 34 PID 1940 wrote to memory of 2356 1940 QUOTATION#00870.exe 34 PID 1940 wrote to memory of 2356 1940 QUOTATION#00870.exe 34 PID 1940 wrote to memory of 2356 1940 QUOTATION#00870.exe 34 PID 1940 wrote to memory of 2356 1940 QUOTATION#00870.exe 34 PID 1940 wrote to memory of 2356 1940 QUOTATION#00870.exe 34 PID 1940 wrote to memory of 2356 1940 QUOTATION#00870.exe 34 PID 1940 wrote to memory of 2356 1940 QUOTATION#00870.exe 34 PID 1940 wrote to memory of 2672 1940 QUOTATION#00870.exe 35 PID 1940 wrote to memory of 2672 1940 QUOTATION#00870.exe 35 PID 1940 wrote to memory of 2672 1940 QUOTATION#00870.exe 35 PID 1940 wrote to memory of 2672 1940 QUOTATION#00870.exe 35 PID 1940 wrote to memory of 2672 1940 QUOTATION#00870.exe 35 PID 1940 wrote to memory of 2672 1940 QUOTATION#00870.exe 35 PID 1940 wrote to memory of 2672 1940 QUOTATION#00870.exe 35 PID 1940 wrote to memory of 2672 1940 QUOTATION#00870.exe 35 PID 1940 wrote to memory of 2672 1940 QUOTATION#00870.exe 35 PID 1940 wrote to memory of 2672 1940 QUOTATION#00870.exe 35 PID 1940 wrote to memory of 2672 1940 QUOTATION#00870.exe 35 PID 1940 wrote to memory of 2672 1940 QUOTATION#00870.exe 35 PID 1940 wrote to memory of 2812 1940 QUOTATION#00870.exe 36 PID 1940 wrote to memory of 2812 1940 QUOTATION#00870.exe 36 PID 1940 wrote to memory of 2812 1940 QUOTATION#00870.exe 36 PID 1940 wrote to memory of 2812 1940 QUOTATION#00870.exe 36 PID 1940 wrote to memory of 2812 1940 QUOTATION#00870.exe 36 PID 1940 wrote to memory of 2812 1940 QUOTATION#00870.exe 36 PID 1940 wrote to memory of 2812 1940 QUOTATION#00870.exe 36 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" QUOTATION#00870.exe -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regasm.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regasm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\QUOTATION#00870.exe"C:\Users\Admin\AppData\Local\Temp\QUOTATION#00870.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1940 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\QUOTATION#00870.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"2⤵PID:2356
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2672
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"2⤵PID:2812
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2