snakekeylogger | fef9364a82823b9d1a9dbee06a202bd7914c6414a8857311ec338fbd2eb2261c

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pay09809988.exe
Size

452KB
MD5

dc83500f11eef58ddbb21c9dd2d17729
SHA1

46b0de105332e090806d5e95f38ee0a33c10ad3b
SHA256

2160a2fba2efc22751b82cebb9d4ce21dfe35782cfb21bbf512687f413b80e65
SHA512

b1289ae61523b0e170a434361e727bf5e0e0043c4596214b4823e6c961ace6a61b796adcbd459cbdcddab3c7d9ff3236ad81a9d88f8a9ca31206a90fb1c127ad
SSDEEP

12288:RH06XwKIhiXX1oJMdqvEu6XFhCQxy1Hex/pKAQb9NsAm:9frX1oJwqvEujh2xiBm

Score

10^/10

snakekeylogger collection keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.potagrup.com
Port:
587
Username:
[email protected]
Password:
Pgrup@2021

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger
Loads dropped DLL 2 IoCs

Processes:

pay09809988.exe

pid process

4780 pay09809988.exe
4780 pay09809988.exe

pid	process
4780	pay09809988.exe
4780	pay09809988.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

MSBuild.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

pay09809988.exe

description pid process target process

PID 4780 set thread context of 3288 4780 pay09809988.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2364 3288 WerFault.exe MSBuild.exe
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

pay09809988.exeMSBuild.exe

pid process

4780 pay09809988.exe
4780 pay09809988.exe
4780 pay09809988.exe
4780 pay09809988.exe
4780 pay09809988.exe
4780 pay09809988.exe
4780 pay09809988.exe
4780 pay09809988.exe
3288 MSBuild.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

pay09809988.exe

pid process

4780 pay09809988.exe
4780 pay09809988.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 3288 MSBuild.exe

flow	ioc
3	checkip.dyndns.org

description	pid	process	target process
PID 4780 set thread context of 3288	4780	pay09809988.exe	MSBuild.exe

pid	pid_target	process	target process
2364	3288	WerFault.exe	MSBuild.exe

pid	process
4780	pay09809988.exe
4780	pay09809988.exe
4780	pay09809988.exe
4780	pay09809988.exe
4780	pay09809988.exe
4780	pay09809988.exe
4780	pay09809988.exe
4780	pay09809988.exe
3288	MSBuild.exe

pid	process
4780	pay09809988.exe
4780	pay09809988.exe

description	pid	process
Token: SeDebugPrivilege	3288	MSBuild.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

pay09809988.exe

description	pid	process	target process
PID 4780 wrote to memory of 3288	4780	pay09809988.exe	MSBuild.exe
PID 4780 wrote to memory of 3288	4780	pay09809988.exe	MSBuild.exe
PID 4780 wrote to memory of 3288	4780	pay09809988.exe	MSBuild.exe
PID 4780 wrote to memory of 3288	4780	pay09809988.exe	MSBuild.exe

outlook_office_path 1 IoCs

Processes:

MSBuild.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe

outlook_win_path 1 IoCs

Processes:

MSBuild.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 1416
3⤵
- Program crash
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3288 -ip 3288
1⤵
PID:2700

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jy2091qep.dll
Filesize
18KB

MD5
a393df2af4708ff2592687ff4ee343b9

SHA1
19b5212fc5dbd673f7e4f78c52b6c0ea33121d85

SHA256
eea2ac27c7db126176b9cbf245328c9acb06665995f1212cc28792304ca3f6f5

SHA512
b960e1ad593a17d94cacec2ef4e30c1b17b69469e3f1a0b26d992dce1ef697078a466bd1bde5779373bae6ff5b35c39a13f818c03c4a3a3eacda051b44ea0491

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu44BB.tmp\System.dll
Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
memory/3288-10-0x0000000000430000-0x000000000049A000-memory.dmp

Filesize
424KB

Download
memory/3288-12-0x0000000074EAE000-0x0000000074EAF000-memory.dmp

Filesize
4KB

Download
memory/3288-13-0x0000000005160000-0x0000000005704000-memory.dmp

Filesize
5.6MB

Download
memory/3288-14-0x0000000004CE0000-0x0000000004D7C000-memory.dmp

Filesize
624KB

Download
memory/3288-15-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/3288-16-0x0000000005BA0000-0x0000000005D62000-memory.dmp

Filesize
1.8MB

Download
memory/3288-17-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/4780-9-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4780-11-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download