Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 03:05
Static task
static1
Behavioral task
behavioral1
Sample
pay09809988.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
pay09809988.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
jy2091qep.dll
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
jy2091qep.dll
Resource
win10v2004-20240226-en
General
-
Target
pay09809988.exe
-
Size
452KB
-
MD5
dc83500f11eef58ddbb21c9dd2d17729
-
SHA1
46b0de105332e090806d5e95f38ee0a33c10ad3b
-
SHA256
2160a2fba2efc22751b82cebb9d4ce21dfe35782cfb21bbf512687f413b80e65
-
SHA512
b1289ae61523b0e170a434361e727bf5e0e0043c4596214b4823e6c961ace6a61b796adcbd459cbdcddab3c7d9ff3236ad81a9d88f8a9ca31206a90fb1c127ad
-
SSDEEP
12288:RH06XwKIhiXX1oJMdqvEu6XFhCQxy1Hex/pKAQb9NsAm:9frX1oJwqvEujh2xiBm
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.potagrup.com - Port:
587 - Username:
[email protected] - Password:
Pgrup@2021
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Loads dropped DLL 2 IoCs
Processes:
pay09809988.exepid process 4780 pay09809988.exe 4780 pay09809988.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
pay09809988.exedescription pid process target process PID 4780 set thread context of 3288 4780 pay09809988.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2364 3288 WerFault.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
pay09809988.exeMSBuild.exepid process 4780 pay09809988.exe 4780 pay09809988.exe 4780 pay09809988.exe 4780 pay09809988.exe 4780 pay09809988.exe 4780 pay09809988.exe 4780 pay09809988.exe 4780 pay09809988.exe 3288 MSBuild.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
pay09809988.exepid process 4780 pay09809988.exe 4780 pay09809988.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 3288 MSBuild.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
pay09809988.exedescription pid process target process PID 4780 wrote to memory of 3288 4780 pay09809988.exe MSBuild.exe PID 4780 wrote to memory of 3288 4780 pay09809988.exe MSBuild.exe PID 4780 wrote to memory of 3288 4780 pay09809988.exe MSBuild.exe PID 4780 wrote to memory of 3288 4780 pay09809988.exe MSBuild.exe -
outlook_office_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
outlook_win_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 14163⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3288 -ip 32881⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\jy2091qep.dllFilesize
18KB
MD5a393df2af4708ff2592687ff4ee343b9
SHA119b5212fc5dbd673f7e4f78c52b6c0ea33121d85
SHA256eea2ac27c7db126176b9cbf245328c9acb06665995f1212cc28792304ca3f6f5
SHA512b960e1ad593a17d94cacec2ef4e30c1b17b69469e3f1a0b26d992dce1ef697078a466bd1bde5779373bae6ff5b35c39a13f818c03c4a3a3eacda051b44ea0491
-
C:\Users\Admin\AppData\Local\Temp\nsu44BB.tmp\System.dllFilesize
11KB
MD5fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
memory/3288-10-0x0000000000430000-0x000000000049A000-memory.dmpFilesize
424KB
-
memory/3288-12-0x0000000074EAE000-0x0000000074EAF000-memory.dmpFilesize
4KB
-
memory/3288-13-0x0000000005160000-0x0000000005704000-memory.dmpFilesize
5.6MB
-
memory/3288-14-0x0000000004CE0000-0x0000000004D7C000-memory.dmpFilesize
624KB
-
memory/3288-15-0x0000000074EA0000-0x0000000075650000-memory.dmpFilesize
7.7MB
-
memory/3288-16-0x0000000005BA0000-0x0000000005D62000-memory.dmpFilesize
1.8MB
-
memory/3288-17-0x0000000074EA0000-0x0000000075650000-memory.dmpFilesize
7.7MB
-
memory/4780-9-0x0000000010000000-0x0000000010007000-memory.dmpFilesize
28KB
-
memory/4780-11-0x0000000010000000-0x0000000010007000-memory.dmpFilesize
28KB