Static

static

Purchase_O...20.exe

windows7_x64

10

Purchase_O...20.exe

windows10_x64

10

Analysis

  • max time kernel
    77s
  • max time network
    78s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    19-11-2020 06:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Purchase_Order_11_19_20.exe

  • Size

    715KB

  • MD5

    e492155e4d4cab9522ef4144234c8069

  • SHA1

    97694934fc9e0caf9efb751e687ca7290f79ff2d

  • SHA256

    18d86210ca1721632ee4a17030313ca4c9f60aa0657d83a6cc576b9889558eef

  • SHA512

    094a8f459e10e20540cd0fc2f4cc8445aa7ac1b720eed0636fb8baf24cdda39a3f7b20b2e8d964bc6f2f15fd95847d721e77a1056594cd0d5ccd907c76812217

Score
10/10
snakekeyloggerkeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    mail.zavidovici.ba
  • Port:
    587
  • Username:
    opcina.zavidovici@zavidovici.ba
  • Password:
    12Opc21!

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger Payload 4 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Purchase_Order_11_19_20.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase_Order_11_19_20.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1588
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\2994a388d1d048dba54db2a714e9a29c.xml"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1660
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\2994a388d1d048dba54db2a714e9a29c.xml"
        3⤵
        • Creates scheduled task(s)
        PID:1720
    • C:\Users\Admin\AppData\Local\Temp\Purchase_Order_11_19_20.exe
      "C:\Users\Admin\AppData\Local\Temp\Purchase_Order_11_19_20.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\2994a388d1d048dba54db2a714e9a29c.xml
    MD5

    a035055e1c80bc652520df45650c690f

    SHA1

    37b8364ad46e17199eb5a7ee89bb506bba384adb

    SHA256

    2b9948d34674d0fc0f9cb290da8298441b56205f6e341e3cfa1954df42c2b655

    SHA512

    678279d1bfc8a71c27a5a2c3afa5fd266882a62610863a3e4ebc2489f17827ed4c680c89e6b8b52621320500294d2df9888259ccdc5d38def43e739c1f325fc1

    Download Submit
  • memory/1660-0-0x0000000000000000-mapping.dmp
    Download
  • memory/1720-7-0x0000000000000000-mapping.dmp
    Download
  • memory/1972-1-0x0000000000400000-0x0000000000479000-memory.dmp
    Filesize

    484KB

    Download
  • memory/1972-2-0x000000000040188B-mapping.dmp
    Download
  • memory/1972-3-0x0000000000400000-0x0000000000479000-memory.dmp
    Filesize

    484KB

    Download
  • memory/1972-4-0x0000000074670000-0x0000000074D5E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1972-5-0x00000000002E0000-0x0000000000343000-memory.dmp
    Filesize

    396KB

    Download