Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
26-06-2024 01:05
Static task
static1
Behavioral task
behavioral1
Sample
1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exe
Resource
win10v2004-20240611-en
General
-
Target
1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exe
-
Size
557KB
-
MD5
c6be69441366e75b3df4a9cea4c7545b
-
SHA1
26fa365d7607606558bed622bac78ac5c90aed3a
-
SHA256
1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703
-
SHA512
f15af4c55775dd8623eac9dcc7b85ac29303ec3df056ac237d76e4c9cee513934de483e44f3187940a009c7dc358ff8d5b6f5d624903b5ae8f2e2a98d3d393cb
-
SSDEEP
6144:kdiYBgjxxn1bbti1rMlNPOfgxF9Ld3Bo0f5ofnv+SsR7mO9dsGytWjqbAiZ8Xy7F:kajzn9dRVEvaR7l9dVO
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
valleycountysar.org - Port:
26 - Username:
[email protected] - Password:
fY,FLoadtsiF
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2264-11-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2264-15-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2264-13-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2264-8-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2264-7-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2264-11-0x0000000000400000-0x0000000000426000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2264-15-0x0000000000400000-0x0000000000426000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2264-13-0x0000000000400000-0x0000000000426000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2264-8-0x0000000000400000-0x0000000000426000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2264-7-0x0000000000400000-0x0000000000426000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables referencing many email and collaboration clients. Observed in information stealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2264-11-0x0000000000400000-0x0000000000426000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2264-15-0x0000000000400000-0x0000000000426000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2264-13-0x0000000000400000-0x0000000000426000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2264-8-0x0000000000400000-0x0000000000426000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2264-7-0x0000000000400000-0x0000000000426000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables with potential process hoocking 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2264-11-0x0000000000400000-0x0000000000426000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DotNetProcHook behavioral1/memory/2264-15-0x0000000000400000-0x0000000000426000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DotNetProcHook behavioral1/memory/2264-13-0x0000000000400000-0x0000000000426000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DotNetProcHook behavioral1/memory/2264-8-0x0000000000400000-0x0000000000426000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DotNetProcHook behavioral1/memory/2264-7-0x0000000000400000-0x0000000000426000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DotNetProcHook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2828 cmd.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exedescription pid process target process PID 2648 set thread context of 2264 2648 1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exe 1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exepid process 2264 1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exedescription pid process Token: SeDebugPrivilege 2264 1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exe1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.execmd.exedescription pid process target process PID 2648 wrote to memory of 2264 2648 1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exe 1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exe PID 2648 wrote to memory of 2264 2648 1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exe 1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exe PID 2648 wrote to memory of 2264 2648 1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exe 1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exe PID 2648 wrote to memory of 2264 2648 1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exe 1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exe PID 2648 wrote to memory of 2264 2648 1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exe 1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exe PID 2648 wrote to memory of 2264 2648 1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exe 1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exe PID 2648 wrote to memory of 2264 2648 1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exe 1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exe PID 2648 wrote to memory of 2264 2648 1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exe 1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exe PID 2648 wrote to memory of 2264 2648 1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exe 1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exe PID 2264 wrote to memory of 2828 2264 1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exe cmd.exe PID 2264 wrote to memory of 2828 2264 1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exe cmd.exe PID 2264 wrote to memory of 2828 2264 1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exe cmd.exe PID 2264 wrote to memory of 2828 2264 1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exe cmd.exe PID 2828 wrote to memory of 2568 2828 cmd.exe choice.exe PID 2828 wrote to memory of 2568 2828 cmd.exe choice.exe PID 2828 wrote to memory of 2568 2828 cmd.exe choice.exe PID 2828 wrote to memory of 2568 2828 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exe"C:\Users\Admin\AppData\Local\Temp\1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exe"C:\Users\Admin\AppData\Local\Temp\1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1dbb7ac85b473b9e0cc79d2a523e88d98586642e60f3f9b21ba96fd73a1b6703.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 34⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2264-7-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2264-21-0x0000000074870000-0x0000000074F5E000-memory.dmpFilesize
6.9MB
-
memory/2264-13-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2264-16-0x0000000074870000-0x0000000074F5E000-memory.dmpFilesize
6.9MB
-
memory/2264-20-0x0000000074870000-0x0000000074F5E000-memory.dmpFilesize
6.9MB
-
memory/2264-6-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2264-11-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2264-15-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2264-19-0x0000000074870000-0x0000000074F5E000-memory.dmpFilesize
6.9MB
-
memory/2264-17-0x0000000074870000-0x0000000074F5E000-memory.dmpFilesize
6.9MB
-
memory/2264-8-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2264-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2264-5-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2648-0-0x000000007487E000-0x000000007487F000-memory.dmpFilesize
4KB
-
memory/2648-1-0x0000000000F70000-0x0000000001002000-memory.dmpFilesize
584KB
-
memory/2648-18-0x0000000074870000-0x0000000074F5E000-memory.dmpFilesize
6.9MB
-
memory/2648-2-0x0000000000BB0000-0x0000000000C04000-memory.dmpFilesize
336KB
-
memory/2648-4-0x0000000000630000-0x0000000000638000-memory.dmpFilesize
32KB
-
memory/2648-3-0x0000000074870000-0x0000000074F5E000-memory.dmpFilesize
6.9MB