Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
04-07-2024 01:42
Static task
static1
Behavioral task
behavioral1
Sample
82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375.exe
Resource
win10v2004-20240611-en
General
-
Target
82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375.exe
-
Size
1015KB
-
MD5
9b36f1a92adf3c03c596bdda4e8ba903
-
SHA1
a0bc8f5b57813ad72b2d95c87ce42b1abd0a4f41
-
SHA256
82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375
-
SHA512
3351c0da097559464081be12a9e44892374b914e62e07f987b514d499d8e03a80b4c509d9d26e34051ffc2bf0917dc0a635f0864182cd7b8a6ccf247bec43f92
-
SSDEEP
24576:3qDEvCTbMWu7rQYlBQcBiT6rprG8aL5DLN:3TvC/MTQYxsWR7aL5P
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.marinasands.gr - Port:
587 - Username:
[email protected] - Password:
;lHJ#%M!iBh- - Email To:
[email protected]
https://scratchdreams.tk
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2492-11-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2492-15-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2492-13-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375.exedescription pid process target process PID 2228 set thread context of 2492 2228 82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375.exe RegSvcs.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2272 2492 WerFault.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
RegSvcs.exepid process 2492 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375.exepid process 2228 82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2492 RegSvcs.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375.exeRegSvcs.exedescription pid process target process PID 2228 wrote to memory of 2492 2228 82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375.exe RegSvcs.exe PID 2228 wrote to memory of 2492 2228 82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375.exe RegSvcs.exe PID 2228 wrote to memory of 2492 2228 82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375.exe RegSvcs.exe PID 2228 wrote to memory of 2492 2228 82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375.exe RegSvcs.exe PID 2228 wrote to memory of 2492 2228 82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375.exe RegSvcs.exe PID 2228 wrote to memory of 2492 2228 82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375.exe RegSvcs.exe PID 2228 wrote to memory of 2492 2228 82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375.exe RegSvcs.exe PID 2228 wrote to memory of 2492 2228 82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375.exe RegSvcs.exe PID 2492 wrote to memory of 2272 2492 RegSvcs.exe WerFault.exe PID 2492 wrote to memory of 2272 2492 RegSvcs.exe WerFault.exe PID 2492 wrote to memory of 2272 2492 RegSvcs.exe WerFault.exe PID 2492 wrote to memory of 2272 2492 RegSvcs.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375.exe"C:\Users\Admin\AppData\Local\Temp\82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 10483⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2228-10-0x00000000001D0000-0x00000000001D4000-memory.dmpFilesize
16KB
-
memory/2492-11-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2492-15-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2492-13-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2492-16-0x000000007423E000-0x000000007423F000-memory.dmpFilesize
4KB
-
memory/2492-17-0x0000000074230000-0x000000007491E000-memory.dmpFilesize
6.9MB
-
memory/2492-18-0x000000007423E000-0x000000007423F000-memory.dmpFilesize
4KB
-
memory/2492-19-0x0000000074230000-0x000000007491E000-memory.dmpFilesize
6.9MB