Analysis
-
max time kernel
122s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 06:13
Static task
static1
Behavioral task
behavioral1
Sample
Cargo details.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Cargo details.exe
Resource
win10v2004-20240611-en
General
-
Target
Cargo details.exe
-
Size
521KB
-
MD5
eaee1038c3ee0e44b7d5075ebc4546e2
-
SHA1
0bf2a8cf2726cad12d1c6ac4fc3fa1b7e4fc4e97
-
SHA256
08fbaa45a5b76b737f0163f59330fb7945a97b2ee0e90133ecbbb2c133d3b5e6
-
SHA512
0041109e649b1cb9e4ac8944578246c723aeae899f79ec8ea49566b54fce8609a06863e3299986144c3df7857f6ea4cd85840dce2422db9d7248702da2ec196a
-
SSDEEP
12288:c5kndm6oduitZWCxbLzRyCQYVNcSpUbubuF4a0eR9:Hng6oQiSCJM/Y3Ptg4heR9
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
valleycountysar.org - Port:
26 - Username:
[email protected] - Password:
fY,FLoadtsiF
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2252-19-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2252-18-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2252-15-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2252-11-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2252-10-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Cargo details.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Cargo details.exe Key opened \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Cargo details.exe Key opened \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Cargo details.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Cargo details.exedescription pid process target process PID 2196 set thread context of 2252 2196 Cargo details.exe Cargo details.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Cargo details.exepid process 2252 Cargo details.exe 2252 Cargo details.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Cargo details.exedescription pid process Token: SeDebugPrivilege 2252 Cargo details.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Cargo details.exedescription pid process target process PID 2196 wrote to memory of 2252 2196 Cargo details.exe Cargo details.exe PID 2196 wrote to memory of 2252 2196 Cargo details.exe Cargo details.exe PID 2196 wrote to memory of 2252 2196 Cargo details.exe Cargo details.exe PID 2196 wrote to memory of 2252 2196 Cargo details.exe Cargo details.exe PID 2196 wrote to memory of 2252 2196 Cargo details.exe Cargo details.exe PID 2196 wrote to memory of 2252 2196 Cargo details.exe Cargo details.exe PID 2196 wrote to memory of 2252 2196 Cargo details.exe Cargo details.exe PID 2196 wrote to memory of 2252 2196 Cargo details.exe Cargo details.exe PID 2196 wrote to memory of 2252 2196 Cargo details.exe Cargo details.exe -
outlook_office_path 1 IoCs
Processes:
Cargo details.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Cargo details.exe -
outlook_win_path 1 IoCs
Processes:
Cargo details.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Cargo details.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Cargo details.exe"C:\Users\Admin\AppData\Local\Temp\Cargo details.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Cargo details.exe"C:\Users\Admin\AppData\Local\Temp\Cargo details.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2196-0-0x000000007488E000-0x000000007488F000-memory.dmpFilesize
4KB
-
memory/2196-1-0x00000000012D0000-0x0000000001358000-memory.dmpFilesize
544KB
-
memory/2196-2-0x0000000000B70000-0x0000000000BC4000-memory.dmpFilesize
336KB
-
memory/2196-3-0x0000000074880000-0x0000000074F6E000-memory.dmpFilesize
6.9MB
-
memory/2196-4-0x0000000000520000-0x0000000000528000-memory.dmpFilesize
32KB
-
memory/2196-22-0x0000000074880000-0x0000000074F6E000-memory.dmpFilesize
6.9MB
-
memory/2252-18-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2252-19-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2252-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2252-15-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2252-11-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2252-10-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2252-7-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2252-20-0x0000000074880000-0x0000000074F6E000-memory.dmpFilesize
6.9MB
-
memory/2252-21-0x0000000074880000-0x0000000074F6E000-memory.dmpFilesize
6.9MB
-
memory/2252-5-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2252-23-0x0000000074880000-0x0000000074F6E000-memory.dmpFilesize
6.9MB
-
memory/2252-24-0x0000000074880000-0x0000000074F6E000-memory.dmpFilesize
6.9MB