Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 16:16
Static task
static1
Behavioral task
behavioral1
Sample
Product list Quotation.zip
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Product list Quotation.zip
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
Product list Quotation.exe
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
Product list Quotation.exe
Resource
win10v2004-20240226-en
General
-
Target
Product list Quotation.exe
-
Size
537KB
-
MD5
f081e31b399dbf3450b468662bb4a124
-
SHA1
27385cfd3fc7796b33c2fa54e8728c67e39b44d2
-
SHA256
e855e16a669ed33674c20481a0a80dc4c6b77e50c0091a1f852a655336a5dd1e
-
SHA512
97056229574e32de6e63162767fdf261bc7b5a3188c072dd0f416f238e46cb3a096d8f7dfc8b0c358f2c0156303910ebf67909f36fd350dc2de5201ce4184267
-
SSDEEP
12288:/F2QYt9sMIqiTxNEz3AcdYMGJv/v+CLuSn:t2QEv0jEjDEv/HLB
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.valleycountysar.org - Port:
587 - Username:
[email protected] - Password:
DKw(r0%wpbd]
http://103.130.147.85
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral4/memory/4696-9-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Product list Quotation.exedescription pid process target process PID 3076 set thread context of 4696 3076 Product list Quotation.exe Product list Quotation.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4996 4696 WerFault.exe Product list Quotation.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Product list Quotation.exepid process 4696 Product list Quotation.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Product list Quotation.exedescription pid process Token: SeDebugPrivilege 4696 Product list Quotation.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Product list Quotation.exedescription pid process target process PID 3076 wrote to memory of 4696 3076 Product list Quotation.exe Product list Quotation.exe PID 3076 wrote to memory of 4696 3076 Product list Quotation.exe Product list Quotation.exe PID 3076 wrote to memory of 4696 3076 Product list Quotation.exe Product list Quotation.exe PID 3076 wrote to memory of 4696 3076 Product list Quotation.exe Product list Quotation.exe PID 3076 wrote to memory of 4696 3076 Product list Quotation.exe Product list Quotation.exe PID 3076 wrote to memory of 4696 3076 Product list Quotation.exe Product list Quotation.exe PID 3076 wrote to memory of 4696 3076 Product list Quotation.exe Product list Quotation.exe PID 3076 wrote to memory of 4696 3076 Product list Quotation.exe Product list Quotation.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Product list Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Product list Quotation.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Product list Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Product list Quotation.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 14923⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4696 -ip 46961⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3076-6-0x0000000005A20000-0x0000000005A74000-memory.dmpFilesize
336KB
-
memory/3076-0-0x0000000074E4E000-0x0000000074E4F000-memory.dmpFilesize
4KB
-
memory/3076-2-0x0000000005C90000-0x0000000006234000-memory.dmpFilesize
5.6MB
-
memory/3076-3-0x00000000057E0000-0x0000000005872000-memory.dmpFilesize
584KB
-
memory/3076-4-0x0000000074E40000-0x00000000755F0000-memory.dmpFilesize
7.7MB
-
memory/3076-5-0x0000000005A10000-0x0000000005A1A000-memory.dmpFilesize
40KB
-
memory/3076-1-0x0000000000DA0000-0x0000000000E2C000-memory.dmpFilesize
560KB
-
memory/3076-7-0x0000000005B50000-0x0000000005BEC000-memory.dmpFilesize
624KB
-
memory/3076-13-0x0000000074E40000-0x00000000755F0000-memory.dmpFilesize
7.7MB
-
memory/3076-8-0x0000000005AA0000-0x0000000005AA8000-memory.dmpFilesize
32KB
-
memory/4696-9-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/4696-11-0x0000000074E40000-0x00000000755F0000-memory.dmpFilesize
7.7MB
-
memory/4696-10-0x0000000074E40000-0x00000000755F0000-memory.dmpFilesize
7.7MB
-
memory/4696-14-0x0000000074E40000-0x00000000755F0000-memory.dmpFilesize
7.7MB