Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 17:05
Static task
static1
Behavioral task
behavioral1
Sample
CTM BREAKDOWN.zip
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
CTM BREAKDOWN.zip
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
CTM BREAKDOWN.exe
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
CTM BREAKDOWN.exe
Resource
win10v2004-20240508-en
General
-
Target
CTM BREAKDOWN.exe
-
Size
537KB
-
MD5
3e97c23c4c1c6f721c910c08e25a60cc
-
SHA1
d92304392377198b3b3cd95aa8de1572d75d7fb8
-
SHA256
4e2186d44f67e0ebc4ee9ecd68191b31849604930dd5babe6106e1e191b7874c
-
SHA512
6a2007d1a0660bb53f4a191b662241b8242e5e2e3ab6e220735da068cb69a6259465d2f5b5e533bdf3f4b36a7fde5edd75c4962afbb43edd8e39f151e2b3dbb5
-
SSDEEP
12288:/sdrEx695u8R6GfeZPrTxegfLiAUR0Jv/v+HLuSn:0drEsTu8kGfeZzTxegfmlUv/CLB
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.valleycountysar.org - Port:
587 - Username:
[email protected] - Password:
DKw(r0%wpbd]
http://103.130.147.85
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral4/memory/2812-9-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
CTM BREAKDOWN.exedescription pid process target process PID 4032 set thread context of 2812 4032 CTM BREAKDOWN.exe CTM BREAKDOWN.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5104 2812 WerFault.exe CTM BREAKDOWN.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
CTM BREAKDOWN.exepid process 2812 CTM BREAKDOWN.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
CTM BREAKDOWN.exedescription pid process Token: SeDebugPrivilege 2812 CTM BREAKDOWN.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
CTM BREAKDOWN.exedescription pid process target process PID 4032 wrote to memory of 2812 4032 CTM BREAKDOWN.exe CTM BREAKDOWN.exe PID 4032 wrote to memory of 2812 4032 CTM BREAKDOWN.exe CTM BREAKDOWN.exe PID 4032 wrote to memory of 2812 4032 CTM BREAKDOWN.exe CTM BREAKDOWN.exe PID 4032 wrote to memory of 2812 4032 CTM BREAKDOWN.exe CTM BREAKDOWN.exe PID 4032 wrote to memory of 2812 4032 CTM BREAKDOWN.exe CTM BREAKDOWN.exe PID 4032 wrote to memory of 2812 4032 CTM BREAKDOWN.exe CTM BREAKDOWN.exe PID 4032 wrote to memory of 2812 4032 CTM BREAKDOWN.exe CTM BREAKDOWN.exe PID 4032 wrote to memory of 2812 4032 CTM BREAKDOWN.exe CTM BREAKDOWN.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CTM BREAKDOWN.exe"C:\Users\Admin\AppData\Local\Temp\CTM BREAKDOWN.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CTM BREAKDOWN.exe"C:\Users\Admin\AppData\Local\Temp\CTM BREAKDOWN.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 14483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2812 -ip 28121⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2812-9-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2812-14-0x0000000074650000-0x0000000074E00000-memory.dmpFilesize
7.7MB
-
memory/2812-11-0x0000000074650000-0x0000000074E00000-memory.dmpFilesize
7.7MB
-
memory/2812-10-0x0000000074650000-0x0000000074E00000-memory.dmpFilesize
7.7MB
-
memory/4032-3-0x00000000051A0000-0x0000000005232000-memory.dmpFilesize
584KB
-
memory/4032-5-0x00000000053C0000-0x00000000053CA000-memory.dmpFilesize
40KB
-
memory/4032-6-0x00000000053D0000-0x0000000005424000-memory.dmpFilesize
336KB
-
memory/4032-7-0x0000000005500000-0x000000000559C000-memory.dmpFilesize
624KB
-
memory/4032-8-0x0000000005450000-0x0000000005458000-memory.dmpFilesize
32KB
-
memory/4032-4-0x0000000074650000-0x0000000074E00000-memory.dmpFilesize
7.7MB
-
memory/4032-0-0x000000007465E000-0x000000007465F000-memory.dmpFilesize
4KB
-
memory/4032-2-0x0000000005750000-0x0000000005CF4000-memory.dmpFilesize
5.6MB
-
memory/4032-13-0x0000000074650000-0x0000000074E00000-memory.dmpFilesize
7.7MB
-
memory/4032-1-0x0000000000710000-0x000000000079C000-memory.dmpFilesize
560KB