Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
27-06-2024 17:05
Static task
static1
Behavioral task
behavioral1
Sample
CTM BREAKDOWN.zip
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
CTM BREAKDOWN.zip
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
CTM BREAKDOWN.exe
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
CTM BREAKDOWN.exe
Resource
win10v2004-20240508-en
General
-
Target
CTM BREAKDOWN.exe
-
Size
537KB
-
MD5
3e97c23c4c1c6f721c910c08e25a60cc
-
SHA1
d92304392377198b3b3cd95aa8de1572d75d7fb8
-
SHA256
4e2186d44f67e0ebc4ee9ecd68191b31849604930dd5babe6106e1e191b7874c
-
SHA512
6a2007d1a0660bb53f4a191b662241b8242e5e2e3ab6e220735da068cb69a6259465d2f5b5e533bdf3f4b36a7fde5edd75c4962afbb43edd8e39f151e2b3dbb5
-
SSDEEP
12288:/sdrEx695u8R6GfeZPrTxegfLiAUR0Jv/v+HLuSn:0drEsTu8kGfeZzTxegfmlUv/CLB
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.valleycountysar.org - Port:
587 - Username:
[email protected] - Password:
DKw(r0%wpbd]
http://103.130.147.85
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
Processes:
resource yara_rule behavioral3/memory/3004-7-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral3/memory/3004-11-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral3/memory/3004-15-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral3/memory/3004-13-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral3/memory/3004-8-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2708 cmd.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
CTM BREAKDOWN.exedescription pid process target process PID 2432 set thread context of 3004 2432 CTM BREAKDOWN.exe CTM BREAKDOWN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
CTM BREAKDOWN.exepid process 3004 CTM BREAKDOWN.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
CTM BREAKDOWN.exedescription pid process Token: SeDebugPrivilege 3004 CTM BREAKDOWN.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
CTM BREAKDOWN.exeCTM BREAKDOWN.execmd.exedescription pid process target process PID 2432 wrote to memory of 3004 2432 CTM BREAKDOWN.exe CTM BREAKDOWN.exe PID 2432 wrote to memory of 3004 2432 CTM BREAKDOWN.exe CTM BREAKDOWN.exe PID 2432 wrote to memory of 3004 2432 CTM BREAKDOWN.exe CTM BREAKDOWN.exe PID 2432 wrote to memory of 3004 2432 CTM BREAKDOWN.exe CTM BREAKDOWN.exe PID 2432 wrote to memory of 3004 2432 CTM BREAKDOWN.exe CTM BREAKDOWN.exe PID 2432 wrote to memory of 3004 2432 CTM BREAKDOWN.exe CTM BREAKDOWN.exe PID 2432 wrote to memory of 3004 2432 CTM BREAKDOWN.exe CTM BREAKDOWN.exe PID 2432 wrote to memory of 3004 2432 CTM BREAKDOWN.exe CTM BREAKDOWN.exe PID 2432 wrote to memory of 3004 2432 CTM BREAKDOWN.exe CTM BREAKDOWN.exe PID 3004 wrote to memory of 2708 3004 CTM BREAKDOWN.exe cmd.exe PID 3004 wrote to memory of 2708 3004 CTM BREAKDOWN.exe cmd.exe PID 3004 wrote to memory of 2708 3004 CTM BREAKDOWN.exe cmd.exe PID 3004 wrote to memory of 2708 3004 CTM BREAKDOWN.exe cmd.exe PID 2708 wrote to memory of 2540 2708 cmd.exe choice.exe PID 2708 wrote to memory of 2540 2708 cmd.exe choice.exe PID 2708 wrote to memory of 2540 2708 cmd.exe choice.exe PID 2708 wrote to memory of 2540 2708 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CTM BREAKDOWN.exe"C:\Users\Admin\AppData\Local\Temp\CTM BREAKDOWN.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CTM BREAKDOWN.exe"C:\Users\Admin\AppData\Local\Temp\CTM BREAKDOWN.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\CTM BREAKDOWN.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 34⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2432-0-0x0000000074C3E000-0x0000000074C3F000-memory.dmpFilesize
4KB
-
memory/2432-1-0x0000000001060000-0x00000000010EC000-memory.dmpFilesize
560KB
-
memory/2432-2-0x0000000000530000-0x0000000000584000-memory.dmpFilesize
336KB
-
memory/2432-3-0x0000000074C30000-0x000000007531E000-memory.dmpFilesize
6.9MB
-
memory/2432-4-0x00000000002C0000-0x00000000002C8000-memory.dmpFilesize
32KB
-
memory/2432-18-0x0000000074C30000-0x000000007531E000-memory.dmpFilesize
6.9MB
-
memory/3004-15-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/3004-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/3004-11-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/3004-13-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/3004-8-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/3004-5-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/3004-6-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/3004-16-0x0000000074C30000-0x000000007531E000-memory.dmpFilesize
6.9MB
-
memory/3004-17-0x0000000074C30000-0x000000007531E000-memory.dmpFilesize
6.9MB
-
memory/3004-7-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/3004-19-0x0000000074C30000-0x000000007531E000-memory.dmpFilesize
6.9MB
-
memory/3004-20-0x0000000074C30000-0x000000007531E000-memory.dmpFilesize
6.9MB
-
memory/3004-21-0x0000000074C30000-0x000000007531E000-memory.dmpFilesize
6.9MB