Analysis
-
max time kernel
134s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 11:38
Static task
static1
Behavioral task
behavioral1
Sample
Prouduct list Specifictions.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Prouduct list Specifictions.exe
Resource
win10v2004-20240611-en
General
-
Target
Prouduct list Specifictions.exe
-
Size
521KB
-
MD5
af1d3c171718d409ef0f95f16e283fee
-
SHA1
69c29639fc66369ef61ad5d391975c9cfdb8425e
-
SHA256
d7d032114603854cf6ca28f5feedecc1589516fc9ce15406ec7aa9e3dc03fce0
-
SHA512
253965b25b543e1dade226d926e75d5b8f7abcfe828a6da2159a34f628bbec42d1ee7a7773c9e256fe62e7fbcb63cb023a71a058c58bafb65f440a0a6cd96eda
-
SSDEEP
12288:c5kndmzyv/ZZulFzzFRYa0uLYl1sKfJZVXyuRcOD/s:HngUZZeFl2bkYw4JjXh0
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
valleycountysar.org - Port:
26 - Username:
[email protected] - Password:
i~~Ga+6_-~V*
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2132-9-0x0000000000800000-0x0000000000826000-memory.dmp family_snakekeylogger -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Prouduct list Specifictions.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Prouduct list Specifictions.exe Key opened \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Prouduct list Specifictions.exe Key opened \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Prouduct list Specifictions.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Prouduct list Specifictions.exedescription pid process target process PID 428 set thread context of 2132 428 Prouduct list Specifictions.exe Prouduct list Specifictions.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Prouduct list Specifictions.exepid process 2132 Prouduct list Specifictions.exe 2132 Prouduct list Specifictions.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Prouduct list Specifictions.exedescription pid process Token: SeDebugPrivilege 2132 Prouduct list Specifictions.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Prouduct list Specifictions.exedescription pid process target process PID 428 wrote to memory of 2132 428 Prouduct list Specifictions.exe Prouduct list Specifictions.exe PID 428 wrote to memory of 2132 428 Prouduct list Specifictions.exe Prouduct list Specifictions.exe PID 428 wrote to memory of 2132 428 Prouduct list Specifictions.exe Prouduct list Specifictions.exe PID 428 wrote to memory of 2132 428 Prouduct list Specifictions.exe Prouduct list Specifictions.exe PID 428 wrote to memory of 2132 428 Prouduct list Specifictions.exe Prouduct list Specifictions.exe PID 428 wrote to memory of 2132 428 Prouduct list Specifictions.exe Prouduct list Specifictions.exe PID 428 wrote to memory of 2132 428 Prouduct list Specifictions.exe Prouduct list Specifictions.exe PID 428 wrote to memory of 2132 428 Prouduct list Specifictions.exe Prouduct list Specifictions.exe -
outlook_office_path 1 IoCs
Processes:
Prouduct list Specifictions.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Prouduct list Specifictions.exe -
outlook_win_path 1 IoCs
Processes:
Prouduct list Specifictions.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Prouduct list Specifictions.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Prouduct list Specifictions.exe"C:\Users\Admin\AppData\Local\Temp\Prouduct list Specifictions.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Prouduct list Specifictions.exe"C:\Users\Admin\AppData\Local\Temp\Prouduct list Specifictions.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4416,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=3984 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/428-8-0x0000000005190000-0x0000000005198000-memory.dmpFilesize
32KB
-
memory/428-6-0x0000000074E80000-0x0000000075630000-memory.dmpFilesize
7.7MB
-
memory/428-2-0x0000000005520000-0x0000000005AC4000-memory.dmpFilesize
5.6MB
-
memory/428-3-0x0000000005020000-0x00000000050B2000-memory.dmpFilesize
584KB
-
memory/428-0-0x0000000074E8E000-0x0000000074E8F000-memory.dmpFilesize
4KB
-
memory/428-5-0x00000000052A0000-0x00000000052F4000-memory.dmpFilesize
336KB
-
memory/428-1-0x00000000005B0000-0x0000000000638000-memory.dmpFilesize
544KB
-
memory/428-7-0x0000000005390000-0x000000000542C000-memory.dmpFilesize
624KB
-
memory/428-4-0x0000000005150000-0x000000000515A000-memory.dmpFilesize
40KB
-
memory/428-13-0x0000000074E80000-0x0000000075630000-memory.dmpFilesize
7.7MB
-
memory/2132-10-0x0000000074E80000-0x0000000075630000-memory.dmpFilesize
7.7MB
-
memory/2132-11-0x0000000074E80000-0x0000000075630000-memory.dmpFilesize
7.7MB
-
memory/2132-9-0x0000000000800000-0x0000000000826000-memory.dmpFilesize
152KB
-
memory/2132-14-0x00000000061B0000-0x0000000006200000-memory.dmpFilesize
320KB
-
memory/2132-15-0x00000000063D0000-0x0000000006592000-memory.dmpFilesize
1.8MB
-
memory/2132-16-0x0000000074E80000-0x0000000075630000-memory.dmpFilesize
7.7MB