Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    129s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/01/2025, 22:09

General

  • Target

    bad1.exe

  • Size

    40.2MB

  • MD5

    3de1b681a7e0bd3ab0eab17397e71d67

  • SHA1

    38af65d2a7153862c97f6549be6808263a41d37a

  • SHA256

    c4f91a3c477d6c7ff7957ee33d1729d3df95c1903416cdc830c4178fd597c8b1

  • SHA512

    68833e4c0c51c98ab5e7b1316653471ff69bdf5b208007b40f8d6b647f193fe84a0b0413e46018fba77b53a2ce327276289cbd21cc54dc28dcb4df31383d5407

  • SSDEEP

    393216:q76L6otUitqtH7wHtXq2pt2jbOCacCFIK0fpP9HF4VW8yfwnVQx4urYsANulL7NO:q0LoCOn+2ws4urYDNulLBiua

Malware Config

Extracted

Family

snakekeylogger

Credentials
C2

https://scratchdreams.tk

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

  • Snake Keylogger payload 1 IoCs
  • Snakekeylogger family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 15 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Looks up external IP address via web service 7 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bad1.exe
    "C:\Users\Admin\AppData\Local\Temp\bad1.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1476
    • C:\Users\Admin\AppData\Local\Temp\82e41998ea7cc85f2b42c3b1a7a08420\POF9876789.exe
      C:\Users\Admin\AppData\Local\Temp\82e41998ea7cc85f2b42c3b1a7a08420\POF9876789.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2072
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "POF9876789" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\POF9876789.exe\"" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3460
        • C:\Windows\system32\cmd.exe
          cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "POF9876789" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\POF9876789.exe\"" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1104
          • C:\Windows\system32\reg.exe
            reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "POF9876789" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\POF9876789.exe\"" /f
            5⤵
            • Adds Run key to start application
            PID:3860
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        3⤵
          PID:3972
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
          3⤵
            PID:1668
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
            3⤵
              PID:3596
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
              3⤵
              • Accesses Microsoft Outlook profiles
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4356
            • C:\Windows\SYSTEM32\cmd.exe
              "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "POF9876789" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\POF9876789.exe\"" /f
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:3856
              • C:\Windows\system32\cmd.exe
                cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "POF9876789" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\POF9876789.exe\"" /f
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1780
                • C:\Windows\system32\reg.exe
                  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "POF9876789" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\POF9876789.exe\"" /f
                  5⤵
                  • Adds Run key to start application
                  PID:4044
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
              3⤵
              • Accesses Microsoft Outlook profiles
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1236
            • C:\Windows\SYSTEM32\cmd.exe
              "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "POF9876789" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\POF9876789.exe\"" /f
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4252
              • C:\Windows\system32\cmd.exe
                cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "POF9876789" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\POF9876789.exe\"" /f
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1848
                • C:\Windows\system32\reg.exe
                  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "POF9876789" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\POF9876789.exe\"" /f
                  5⤵
                  • Adds Run key to start application
                  PID:4824
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
              3⤵
                PID:4884
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                3⤵
                • Accesses Microsoft Outlook profiles
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • outlook_office_path
                • outlook_win_path
                PID:3200
              • C:\Windows\SYSTEM32\cmd.exe
                "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "POF9876789" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\POF9876789.exe\"" /f
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1316
                • C:\Windows\system32\cmd.exe
                  cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "POF9876789" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\POF9876789.exe\"" /f
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4204
                  • C:\Windows\system32\reg.exe
                    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "POF9876789" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\POF9876789.exe\"" /f
                    5⤵
                    • Adds Run key to start application
                    PID:2020
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                3⤵
                • Accesses Microsoft Outlook profiles
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4244
              • C:\Windows\SYSTEM32\cmd.exe
                "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "POF9876789" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\POF9876789.exe\"" /f
                3⤵
                  PID:4628
                  • C:\Windows\system32\cmd.exe
                    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "POF9876789" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\POF9876789.exe\"" /f
                    4⤵
                      PID:4164
                      • C:\Windows\system32\reg.exe
                        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "POF9876789" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\POF9876789.exe\"" /f
                        5⤵
                        • Adds Run key to start application
                        PID:4112
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    3⤵
                    • Accesses Microsoft Outlook profiles
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5004

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\82e41998ea7cc85f2b42c3b1a7a08420\POF9876789.exe

                Filesize

                62KB

                MD5

                57296766561adde4b9adacb0f84b883e

                SHA1

                a7383bf36ea3fd927d7f0e9edc2e8873331457d8

                SHA256

                d095e391f258ed240552f8e8c10896f93ca0aec46026cca019026fd5616ead7f

                SHA512

                da97a72c780111276f7cd80bb48605b4fa5d89daf15dc654c2cbba2c08b53eb011718811f55f16f78ecdefadc0a75b169e8a587e70044edaf57c16bb63ed0efc

              • C:\Users\Admin\AppData\Local\Temp\82e41998ea7cc85f2b42c3b1a7a08420\Qt5Core.dll

                Filesize

                3.7MB

                MD5

                8387e3b95622dc8a33b075e469ad05c6

                SHA1

                2072a252a08129956493529842a68da552ceb7a9

                SHA256

                3c13f14d7174ce0546f2ef72782b933a7101e599732e16dbe11def0659e16f01

                SHA512

                1f9f0d878a643b8ba7965f52dbdbbcfdbaa423e3af2b644945c2d03f65c3bc056b2c165dd9610583a6562d49ae3174fda94145c062ae2898709afed285e386cb

              • C:\Users\Admin\AppData\Local\Temp\82e41998ea7cc85f2b42c3b1a7a08420\libgcc_s_seh-1.dll

                Filesize

                74KB

                MD5

                534b365361004828059600f05b34006d

                SHA1

                d8ff411b0939a021f47c845c6a90f1240bab5268

                SHA256

                438ae82ffd621a2413199155574cc85681f8986f05420b1485aa4be936c3bc0b

                SHA512

                1ccb3732a82f2fedca85c27afdd48e65dde70d5b1620e436d457624a2cb796887c5e7dc2983a0794ebbbcade3e5b9f9fc9320b390894471993c7b1e85268592d

              • C:\Users\Admin\AppData\Local\Temp\82e41998ea7cc85f2b42c3b1a7a08420\libstdc++-6.dll

                Filesize

                1.4MB

                MD5

                58f1c3e85a3714b9f5441c9b513e08bb

                SHA1

                4e30e2bd5917754cf2d4f8bd30b28f7ef9505a23

                SHA256

                72ce15df7c50e8d0ca57701b0b37394942e5348654505fcb993873b515dfd1d0

                SHA512

                7b52fcd6b0b76ef192c107a7a2e0a2144eda045988b46939c5a7eff87477b4cdc5c38557a0f467b6e27fc9fb55b2b679bd00c4fc36dfa015cf471cc7f0232836

              • C:\Users\Admin\AppData\Local\Temp\82e41998ea7cc85f2b42c3b1a7a08420\libwinpthread-1.dll

                Filesize

                51KB

                MD5

                db18b7ec5f93127e6099744ea9568c1b

                SHA1

                e9143c76e308a816837e2f1a19dd0c5e2306ed08

                SHA256

                5bbef249a0d00e2d32c699d0bbe89f714ebeb872b3990a5cbeccb1d89f63e5e8

                SHA512

                ee1e645bed0bc3ad9e959d6342153e608ad21a7f5aef60b4cd8cc96fde7aeec4bbbb7474b59cab8ced8f28dc9f66cab32f4825333c891524901dcc40e70a1580

              • memory/1236-48-0x0000000005AC0000-0x0000000006064000-memory.dmp

                Filesize

                5.6MB

              • memory/2072-54-0x0000000064940000-0x0000000064955000-memory.dmp

                Filesize

                84KB

              • memory/2072-53-0x0000000061440000-0x000000006145A000-memory.dmp

                Filesize

                104KB

              • memory/2072-52-0x000000006FC40000-0x000000006FDA3000-memory.dmp

                Filesize

                1.4MB

              • memory/2072-51-0x0000000000400000-0x0000000000412000-memory.dmp

                Filesize

                72KB

              • memory/4244-55-0x0000000000D40000-0x0000000000D90000-memory.dmp

                Filesize

                320KB

              • memory/4244-56-0x00000000060B0000-0x0000000006272000-memory.dmp

                Filesize

                1.8MB

              • memory/4244-57-0x0000000005F80000-0x0000000006012000-memory.dmp

                Filesize

                584KB

              • memory/4244-58-0x0000000004F50000-0x0000000004F5A000-memory.dmp

                Filesize

                40KB

              • memory/4356-49-0x0000000004E50000-0x0000000004EEC000-memory.dmp

                Filesize

                624KB

              • memory/4356-24-0x0000000000400000-0x0000000000426000-memory.dmp

                Filesize

                152KB