Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 20:35
Static task
static1
Behavioral task
behavioral1
Sample
ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe
Resource
win10v2004-20241007-en
General
-
Target
ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe
-
Size
740KB
-
MD5
1d1f04d00aaa3f5ed89b903016d607f5
-
SHA1
7f3bdbafbf3b9ad14d521cd1ba147b9992e13f6c
-
SHA256
ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89
-
SHA512
f1d2ea1fa7da308d8dd2fef8a3d19fcad9d271c20bf8dac2f577d6ae126cc7e0ca7e25aeef4f1fcf08592965b1eeea010d55d807cb38c097c143be648aa68981
-
SSDEEP
12288:WyCWxQir2iN3ybI1a30EZvSIk3Um4Mm/E8eLtVvxG6s8pnIvXQX6xs27toeMPVRS:WWr1aCTEZaTT4MAE8IpGQOvRsaHMtY
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5402813712:AAG__8vfwqo_1K9XHIpxzTR9T7UW4raysO4/sendMessage?chat_id=5034680713
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
resource yara_rule behavioral1/memory/1456-31-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1456-30-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1456-27-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1456-25-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1456-33-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Snakekeylogger family
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2020 powershell.exe 2736 powershell.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2384 set thread context of 1456 2384 ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe 38 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2260 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2020 powershell.exe 2736 powershell.exe 1456 ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2020 powershell.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeDebugPrivilege 1456 ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2384 wrote to memory of 2020 2384 ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe 31 PID 2384 wrote to memory of 2020 2384 ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe 31 PID 2384 wrote to memory of 2020 2384 ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe 31 PID 2384 wrote to memory of 2020 2384 ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe 31 PID 2384 wrote to memory of 2736 2384 ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe 34 PID 2384 wrote to memory of 2736 2384 ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe 34 PID 2384 wrote to memory of 2736 2384 ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe 34 PID 2384 wrote to memory of 2736 2384 ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe 34 PID 2384 wrote to memory of 2260 2384 ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe 35 PID 2384 wrote to memory of 2260 2384 ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe 35 PID 2384 wrote to memory of 2260 2384 ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe 35 PID 2384 wrote to memory of 2260 2384 ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe 35 PID 2384 wrote to memory of 1456 2384 ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe 38 PID 2384 wrote to memory of 1456 2384 ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe 38 PID 2384 wrote to memory of 1456 2384 ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe 38 PID 2384 wrote to memory of 1456 2384 ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe 38 PID 2384 wrote to memory of 1456 2384 ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe 38 PID 2384 wrote to memory of 1456 2384 ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe 38 PID 2384 wrote to memory of 1456 2384 ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe 38 PID 2384 wrote to memory of 1456 2384 ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe 38 PID 2384 wrote to memory of 1456 2384 ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe 38 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe"C:\Users\Admin\AppData\Local\Temp\ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gSgZGgNYu.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gSgZGgNYu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6BFC.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2260
-
-
C:\Users\Admin\AppData\Local\Temp\ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe"C:\Users\Admin\AppData\Local\Temp\ddef9ddc5c621654d2cef10a8a1c2da7cc409784814a517f34c39c3dbd8c3e89.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1456
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f4d5f6e0216a9f5d95b406d443e2c2ae
SHA18b2f3d08ad8efac32062b5756f175da10e509f14
SHA256b5c9e52001c854048ebe9b952eb27edd5b657dde43796b53fdf7342e488b1765
SHA51217346b28648a34935b103d7b4fac6dd20231644d1f405d6a5106ee6be4f4e9fb637e8b97f8250ee328382c051724d26f214fb1dd913e6d95d1967eafc9f06005
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5b88f404f7fa55670a8b5cb0260d1e954
SHA180adf1f84c0bed88daf7dc7395ce81aae0711e37
SHA2564d31bc191494e689e3eafd0845118ea2576f36c1b2d4444b2836a969fc76d169
SHA512f40454ca238857c497aa100573408cf0e7709798a05dd7af84a99016213a3f6cb4f8f5ae17faed67eabf2bb38f85730f8d43c7ee933867b5402972e4a86c8af9