snakekeylogger | 062d95745d360e9a0819bef06807be73822283b9f57226efd4aa3a10cf1d7ff2

Analysis

max time kernel
360s
max time network
362s
platform
windows7_x64
resource
win7-20240508-de
resource tags

arch:x64arch:x86image:win7-20240508-delocale:de-deos:windows7-x64systemwindows
submitted
28-06-2024 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Detail-virement-international-032024074900542060000000.pdf.exe
Size

516KB
MD5

f582c7d4bea6603056786884cdad5412
SHA1

3fbcf63cf3ec4519cbb9360676da3a03bc368fb6
SHA256

120594fdeca3e974cb68fed91dac11294ba8cf36c0cb822c2f5ef279bb7a7633
SHA512

3161fdd82063997589ee0653e2ac46cce5da60b66500363944cb795c681b9d99acf5d3fb420bc10906f6ea89c321631bd13931b9606de157465ce363819eab4a
SSDEEP

12288:nsrVFmUYQ8WxgjUlefBL8RWu1ANz0w19OhI:srVFqWWwL1AqekW

Score

10^/10

snakekeylogger execution keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.sprayerbarn.com.au
Port:
587
Username:
[email protected]
Password:
Matthew@13

https://scratchdreams.tk

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2460-31-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2460-30-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2460-29-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2460-26-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2460-24-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2776 powershell.exe
2780 powershell.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1808 cmd.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

Detail-virement-international-032024074900542060000000.pdf.exe

description pid process target process

PID 2960 set thread context of 2460 2960 Detail-virement-international-032024074900542060000000.pdf.exe Detail-virement-international-032024074900542060000000.pdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2656 schtasks.exe

pid	process
2776	powershell.exe
2780	powershell.exe

pid	process
1808	cmd.exe

flow	ioc
4	checkip.dyndns.org

description	pid	process	target process
PID 2960 set thread context of 2460	2960	Detail-virement-international-032024074900542060000000.pdf.exe	Detail-virement-international-032024074900542060000000.pdf.exe

pid	process
2656	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

Detail-virement-international-032024074900542060000000.pdf.exeDetail-virement-international-032024074900542060000000.pdf.exepowershell.exepowershell.exe

pid	process
2960	Detail-virement-international-032024074900542060000000.pdf.exe
2960	Detail-virement-international-032024074900542060000000.pdf.exe
2960	Detail-virement-international-032024074900542060000000.pdf.exe
2960	Detail-virement-international-032024074900542060000000.pdf.exe
2960	Detail-virement-international-032024074900542060000000.pdf.exe
2960	Detail-virement-international-032024074900542060000000.pdf.exe
2960	Detail-virement-international-032024074900542060000000.pdf.exe
2960	Detail-virement-international-032024074900542060000000.pdf.exe
2960	Detail-virement-international-032024074900542060000000.pdf.exe
2960	Detail-virement-international-032024074900542060000000.pdf.exe
2960	Detail-virement-international-032024074900542060000000.pdf.exe
2960	Detail-virement-international-032024074900542060000000.pdf.exe
2460	Detail-virement-international-032024074900542060000000.pdf.exe
2776	powershell.exe
2780	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Detail-virement-international-032024074900542060000000.pdf.exeDetail-virement-international-032024074900542060000000.pdf.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2960	Detail-virement-international-032024074900542060000000.pdf.exe
Token: SeDebugPrivilege	2460	Detail-virement-international-032024074900542060000000.pdf.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

Detail-virement-international-032024074900542060000000.pdf.exeDetail-virement-international-032024074900542060000000.pdf.execmd.exe

description	pid	process	target process
PID 2960 wrote to memory of 2776	2960	Detail-virement-international-032024074900542060000000.pdf.exe	powershell.exe
PID 2960 wrote to memory of 2776	2960	Detail-virement-international-032024074900542060000000.pdf.exe	powershell.exe
PID 2960 wrote to memory of 2776	2960	Detail-virement-international-032024074900542060000000.pdf.exe	powershell.exe
PID 2960 wrote to memory of 2776	2960	Detail-virement-international-032024074900542060000000.pdf.exe	powershell.exe
PID 2960 wrote to memory of 2780	2960	Detail-virement-international-032024074900542060000000.pdf.exe	powershell.exe
PID 2960 wrote to memory of 2780	2960	Detail-virement-international-032024074900542060000000.pdf.exe	powershell.exe
PID 2960 wrote to memory of 2780	2960	Detail-virement-international-032024074900542060000000.pdf.exe	powershell.exe
PID 2960 wrote to memory of 2780	2960	Detail-virement-international-032024074900542060000000.pdf.exe	powershell.exe
PID 2960 wrote to memory of 2656	2960	Detail-virement-international-032024074900542060000000.pdf.exe	schtasks.exe
PID 2960 wrote to memory of 2656	2960	Detail-virement-international-032024074900542060000000.pdf.exe	schtasks.exe
PID 2960 wrote to memory of 2656	2960	Detail-virement-international-032024074900542060000000.pdf.exe	schtasks.exe
PID 2960 wrote to memory of 2656	2960	Detail-virement-international-032024074900542060000000.pdf.exe	schtasks.exe
PID 2960 wrote to memory of 2460	2960	Detail-virement-international-032024074900542060000000.pdf.exe	Detail-virement-international-032024074900542060000000.pdf.exe
PID 2960 wrote to memory of 2460	2960	Detail-virement-international-032024074900542060000000.pdf.exe	Detail-virement-international-032024074900542060000000.pdf.exe
PID 2960 wrote to memory of 2460	2960	Detail-virement-international-032024074900542060000000.pdf.exe	Detail-virement-international-032024074900542060000000.pdf.exe
PID 2960 wrote to memory of 2460	2960	Detail-virement-international-032024074900542060000000.pdf.exe	Detail-virement-international-032024074900542060000000.pdf.exe
PID 2960 wrote to memory of 2460	2960	Detail-virement-international-032024074900542060000000.pdf.exe	Detail-virement-international-032024074900542060000000.pdf.exe
PID 2960 wrote to memory of 2460	2960	Detail-virement-international-032024074900542060000000.pdf.exe	Detail-virement-international-032024074900542060000000.pdf.exe
PID 2960 wrote to memory of 2460	2960	Detail-virement-international-032024074900542060000000.pdf.exe	Detail-virement-international-032024074900542060000000.pdf.exe
PID 2960 wrote to memory of 2460	2960	Detail-virement-international-032024074900542060000000.pdf.exe	Detail-virement-international-032024074900542060000000.pdf.exe
PID 2960 wrote to memory of 2460	2960	Detail-virement-international-032024074900542060000000.pdf.exe	Detail-virement-international-032024074900542060000000.pdf.exe
PID 2460 wrote to memory of 1808	2460	Detail-virement-international-032024074900542060000000.pdf.exe	cmd.exe
PID 2460 wrote to memory of 1808	2460	Detail-virement-international-032024074900542060000000.pdf.exe	cmd.exe
PID 2460 wrote to memory of 1808	2460	Detail-virement-international-032024074900542060000000.pdf.exe	cmd.exe
PID 2460 wrote to memory of 1808	2460	Detail-virement-international-032024074900542060000000.pdf.exe	cmd.exe
PID 1808 wrote to memory of 320	1808	cmd.exe	choice.exe
PID 1808 wrote to memory of 320	1808	cmd.exe	choice.exe
PID 1808 wrote to memory of 320	1808	cmd.exe	choice.exe
PID 1808 wrote to memory of 320	1808	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\Detail-virement-international-032024074900542060000000.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Detail-virement-international-032024074900542060000000.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Detail-virement-international-032024074900542060000000.pdf.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rNSDxrsB.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rNSDxrsB" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAB7B.tmp"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Users\Admin\AppData\Local\Temp\Detail-virement-international-032024074900542060000000.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Detail-virement-international-032024074900542060000000.pdf.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Detail-virement-international-032024074900542060000000.pdf.exe"
3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:320

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAB7B.tmp
Filesize
1KB

MD5
69a7d19b2ed2225fc82e0c1ed2f132ad

SHA1
10a8740e74c9c45706b44a287f3e3ed225379fdc

SHA256
fdf6a41cd50437ac45ee84a5167109d8cceb309513d8799607525e6f0da02036

SHA512
0e25b1f070c25a87a426a9496e2116cff8e8a8b12742209eb34ff9f7a8d0b4ca86daa6e963535e60b35dc004f7459700e2b40e2c15b7fa265b5b732a6f8a79b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
0a66ab8b8d87359bd76578c7ea8d3fca

SHA1
b4c5a3638dec18a6c8fc862a28c76b10d560ab4c

SHA256
ccc767a4dce6d7c69c3cd2f037258953a64f21928129e1d561a7d2ec2db97195

SHA512
60adf570a9b1c1a535fa9cae5cbf2afb669be06b4336964229b9b0cb18e2143f3b3871a0eb868def6c1c6e5ae3bf2cf8d68c62bb59175c7e9ee26d164151ec28

Download Submit
memory/2460-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2460-20-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2460-22-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2460-24-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2460-26-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2460-29-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2460-30-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2460-31-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2960-7-0x00000000742BE000-0x00000000742BF000-memory.dmp

Filesize
4KB

Download
memory/2960-1-0x0000000001040000-0x00000000010C8000-memory.dmp

Filesize
544KB

Download
memory/2960-2-0x00000000742B0000-0x000000007499E000-memory.dmp

Filesize
6.9MB

Download
memory/2960-8-0x00000000742B0000-0x000000007499E000-memory.dmp

Filesize
6.9MB

Download
memory/2960-3-0x0000000000570000-0x0000000000586000-memory.dmp

Filesize
88KB

Download
memory/2960-0-0x00000000742BE000-0x00000000742BF000-memory.dmp

Filesize
4KB

Download
memory/2960-6-0x0000000005760000-0x00000000057C8000-memory.dmp

Filesize
416KB

Download
memory/2960-5-0x00000000007B0000-0x00000000007C0000-memory.dmp

Filesize
64KB

Download
memory/2960-4-0x00000000007A0000-0x00000000007AC000-memory.dmp

Filesize
48KB

Download
memory/2960-32-0x00000000742B0000-0x000000007499E000-memory.dmp

Filesize
6.9MB

Download