Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
02-07-2024 06:01
Static task
static1
Behavioral task
behavioral1
Sample
lista de cotizaciones.xlam.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
lista de cotizaciones.xlam.exe
Resource
win10v2004-20240226-en
General
-
Target
lista de cotizaciones.xlam.exe
-
Size
984KB
-
MD5
3397f79c3a08077e9295c17c9b3b938c
-
SHA1
7c1cfd2b56e5f4780b561942fe1e9f62200be5cb
-
SHA256
fc53ccd71a8b45f03e842e375777e017b73371d2ae6828af9fd8328f6b91c3ee
-
SHA512
a651cd572e27869b1c2901aea00244a08fe7b2607422d7b97892e9ef9e86a1fcce29ad9b86904fa6bd8c30bf2e9fe97f4df002a89acebbf9085218a41e1e1a81
-
SSDEEP
24576:fAHnh+eWsN3skA4RV1Hom2KXMmHanbuQ5:Ch+ZkldoPK8YanZ
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5581840526:AAE1o2MXOklfCJKspnGyHbkaYvwtJlJ8h3M/sendMessage?chat_id=5063375086
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2360-11-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2360-15-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2360-13-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
lista de cotizaciones.xlam.exedescription pid process target process PID 2448 set thread context of 2360 2448 lista de cotizaciones.xlam.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
RegSvcs.exepid process 2360 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
lista de cotizaciones.xlam.exepid process 2448 lista de cotizaciones.xlam.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2360 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
lista de cotizaciones.xlam.exepid process 2448 lista de cotizaciones.xlam.exe 2448 lista de cotizaciones.xlam.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
lista de cotizaciones.xlam.exepid process 2448 lista de cotizaciones.xlam.exe 2448 lista de cotizaciones.xlam.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
lista de cotizaciones.xlam.exedescription pid process target process PID 2448 wrote to memory of 2360 2448 lista de cotizaciones.xlam.exe RegSvcs.exe PID 2448 wrote to memory of 2360 2448 lista de cotizaciones.xlam.exe RegSvcs.exe PID 2448 wrote to memory of 2360 2448 lista de cotizaciones.xlam.exe RegSvcs.exe PID 2448 wrote to memory of 2360 2448 lista de cotizaciones.xlam.exe RegSvcs.exe PID 2448 wrote to memory of 2360 2448 lista de cotizaciones.xlam.exe RegSvcs.exe PID 2448 wrote to memory of 2360 2448 lista de cotizaciones.xlam.exe RegSvcs.exe PID 2448 wrote to memory of 2360 2448 lista de cotizaciones.xlam.exe RegSvcs.exe PID 2448 wrote to memory of 2360 2448 lista de cotizaciones.xlam.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\lista de cotizaciones.xlam.exe"C:\Users\Admin\AppData\Local\Temp\lista de cotizaciones.xlam.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\lista de cotizaciones.xlam.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2360-11-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2360-15-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2360-13-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2360-16-0x000000007444E000-0x000000007444F000-memory.dmpFilesize
4KB
-
memory/2360-17-0x0000000074440000-0x0000000074B2E000-memory.dmpFilesize
6.9MB
-
memory/2360-18-0x000000007444E000-0x000000007444F000-memory.dmpFilesize
4KB
-
memory/2360-19-0x0000000074440000-0x0000000074B2E000-memory.dmpFilesize
6.9MB
-
memory/2448-10-0x0000000000A20000-0x0000000000A24000-memory.dmpFilesize
16KB