Analysis
-
max time kernel
134s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
26-06-2024 11:38
General
-
Target
Prouduct list Specifictions.exe
-
Size
521KB
-
MD5
af1d3c171718d409ef0f95f16e283fee
-
SHA1
69c29639fc66369ef61ad5d391975c9cfdb8425e
-
SHA256
d7d032114603854cf6ca28f5feedecc1589516fc9ce15406ec7aa9e3dc03fce0
-
SHA512
253965b25b543e1dade226d926e75d5b8f7abcfe828a6da2159a34f628bbec42d1ee7a7773c9e256fe62e7fbcb63cb023a71a058c58bafb65f440a0a6cd96eda
-
SSDEEP
12288:c5kndmzyv/ZZulFzzFRYa0uLYl1sKfJZVXyuRcOD/s:HngUZZeFl2bkYw4JjXh0
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
valleycountysar.org - Port:
26 - Username:
[email protected] - Password:
i~~Ga+6_-~V*
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Prouduct list Specifictions.exe"C:\Users\Admin\AppData\Local\Temp\Prouduct list Specifictions.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Prouduct list Specifictions.exe"C:\Users\Admin\AppData\Local\Temp\Prouduct list Specifictions.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4416,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=3984 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/428-8-0x0000000005190000-0x0000000005198000-memory.dmpFilesize
32KB
-
memory/428-6-0x0000000074E80000-0x0000000075630000-memory.dmpFilesize
7.7MB
-
memory/428-2-0x0000000005520000-0x0000000005AC4000-memory.dmpFilesize
5.6MB
-
memory/428-3-0x0000000005020000-0x00000000050B2000-memory.dmpFilesize
584KB
-
memory/428-0-0x0000000074E8E000-0x0000000074E8F000-memory.dmpFilesize
4KB
-
memory/428-5-0x00000000052A0000-0x00000000052F4000-memory.dmpFilesize
336KB
-
memory/428-1-0x00000000005B0000-0x0000000000638000-memory.dmpFilesize
544KB
-
memory/428-7-0x0000000005390000-0x000000000542C000-memory.dmpFilesize
624KB
-
memory/428-4-0x0000000005150000-0x000000000515A000-memory.dmpFilesize
40KB
-
memory/428-13-0x0000000074E80000-0x0000000075630000-memory.dmpFilesize
7.7MB
-
memory/2132-10-0x0000000074E80000-0x0000000075630000-memory.dmpFilesize
7.7MB
-
memory/2132-11-0x0000000074E80000-0x0000000075630000-memory.dmpFilesize
7.7MB
-
memory/2132-9-0x0000000000800000-0x0000000000826000-memory.dmpFilesize
152KB
-
memory/2132-14-0x00000000061B0000-0x0000000006200000-memory.dmpFilesize
320KB
-
memory/2132-15-0x00000000063D0000-0x0000000006592000-memory.dmpFilesize
1.8MB
-
memory/2132-16-0x0000000074E80000-0x0000000075630000-memory.dmpFilesize
7.7MB