Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
28-06-2024 06:37
General
-
Target
Prouduct list Specifictions.exe
-
Size
521KB
-
MD5
9410d7c9e55815baf4a14c3c7542f11e
-
SHA1
6311d8773c5e2a61cdf98cd2a769f9cfe505aba1
-
SHA256
eaa3954a77e2afe3ff4f533d295619d77f0ab467dd3bb228cfbc87bd592245f1
-
SHA512
57c11447573745b13af0cdce59bae0cc53d48ffb14bae5a90c7817e81d385462f1db4611fa3fc1f76682121aceb218d063f012b00a42b0a06e3a9df85eec2167
-
SSDEEP
12288:c5kndm6oduitZWCxbLzRyCQNuENcSpUbubuF4a0VR9:Hng6oQiSCJM/XPtg4hVR9
Score
10/10
Malware Config
Extracted
Family
snakekeylogger
Credentials
Protocol: smtp- Host:
valleycountysar.org - Port:
26 - Username:
[email protected] - Password:
fY,FLoadtsiF
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Prouduct list Specifictions.exe"C:\Users\Admin\AppData\Local\Temp\Prouduct list Specifictions.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Prouduct list Specifictions.exe"C:\Users\Admin\AppData\Local\Temp\Prouduct list Specifictions.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 14883⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2112 -ip 21121⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2112-9-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2112-14-0x0000000074E60000-0x0000000075610000-memory.dmpFilesize
7.7MB
-
memory/2112-11-0x0000000074E60000-0x0000000075610000-memory.dmpFilesize
7.7MB
-
memory/2112-10-0x0000000074E60000-0x0000000075610000-memory.dmpFilesize
7.7MB
-
memory/4828-3-0x00000000057B0000-0x0000000005842000-memory.dmpFilesize
584KB
-
memory/4828-6-0x00000000059B0000-0x0000000005A04000-memory.dmpFilesize
336KB
-
memory/4828-5-0x0000000074E60000-0x0000000075610000-memory.dmpFilesize
7.7MB
-
memory/4828-7-0x0000000005AB0000-0x0000000005B4C000-memory.dmpFilesize
624KB
-
memory/4828-8-0x0000000005A00000-0x0000000005A08000-memory.dmpFilesize
32KB
-
memory/4828-4-0x0000000005870000-0x000000000587A000-memory.dmpFilesize
40KB
-
memory/4828-0-0x0000000074E6E000-0x0000000074E6F000-memory.dmpFilesize
4KB
-
memory/4828-2-0x0000000005D60000-0x0000000006304000-memory.dmpFilesize
5.6MB
-
memory/4828-13-0x0000000074E60000-0x0000000075610000-memory.dmpFilesize
7.7MB
-
memory/4828-1-0x0000000000CD0000-0x0000000000D58000-memory.dmpFilesize
544KB