Static

static

Re.Po ORDE......exe

windows7_x64

10

Re.Po ORDE......exe

windows10_x64

10

Analysis

  • max time kernel
    56s
  • max time network
    114s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    27-11-2020 08:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Re.Po ORDER.45355.SCAN.PDF...exe

  • Size

    561KB

  • MD5

    1fe0cf1c189cb52b02ed680343b8b488

  • SHA1

    b5241295b8558023bf75736c3fedf45c90332efa

  • SHA256

    2e143c391d25da4a427a3016ae77beac80fbebcc01062a7207f6ca9036536a70

  • SHA512

    570e6c94930d9bbcdf3a1b74375ec90b76532756680254e1287f8eaee3819052436b19eb5d4afccfb8b9f1417cac55557e9c19da9575a8655f1ea7baddb99976

Score
10/10
snakekeyloggerkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    mail.bosut.mk
  • Port:
    587
  • Username:
    info@bosut.mk
  • Password:
    0XsKEemhd6EE

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger Payload 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Re.Po ORDER.45355.SCAN.PDF...exe
    "C:\Users\Admin\AppData\Local\Temp\Re.Po ORDER.45355.SCAN.PDF...exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4700
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UxGTCQGb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp12CD.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2096
    • C:\Users\Admin\AppData\Local\Temp\Re.Po ORDER.45355.SCAN.PDF...exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Re.Po ORDER.45355.SCAN.PDF...exe.log
    MD5

    3fed8d1dd11972a6e2603bb2d73a3ee5

    SHA1

    7ecb7f64ade7b91c5815da647e84167c3d95afb4

    SHA256

    eecf6c0575dc995a485d46a5daaa66f58229e552f16782d873834d218ab17551

    SHA512

    ca6059eb67f800cc666d5146d24070abf5ee08209f8f9d1668a0ca2201eb3f6fa013c2d807b09925e12b82c37686980fcc26a6a5e4a5ba129c4b2a585961d3bb

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp12CD.tmp
    MD5

    5d8d51a4e404c65b0e462aa7f07171b1

    SHA1

    f74c41ae1f5e7854ee27736efc929100b53d5215

    SHA256

    ac3c1a1cbac8932ab354239c505fbe91b437672f6c44b5ca66ce71c67e2c051e

    SHA512

    687e403f87e46f8a6a359ec53dc50c8981dc3aecdb08f1fcbcdb71577e996bf74b3248237cdb24372e769860d6fde6610d3b47c003a96c4016500e34b9d1344c

    Download Submit
  • memory/564-24-0x0000000006E90000-0x0000000006E91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/564-17-0x0000000073CE0000-0x00000000743CE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/564-15-0x00000000004628AE-mapping.dmp
    Download
  • memory/564-14-0x0000000000400000-0x0000000000468000-memory.dmp
    Filesize

    416KB

    Download
  • memory/2096-12-0x0000000000000000-mapping.dmp
    Download
  • memory/4700-7-0x0000000006AD0000-0x0000000006AD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4700-11-0x0000000007870000-0x00000000078FC000-memory.dmp
    Filesize

    560KB

    Download
  • memory/4700-10-0x0000000006C40000-0x0000000006C54000-memory.dmp
    Filesize

    80KB

    Download
  • memory/4700-9-0x0000000006C60000-0x0000000006C61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4700-8-0x00000000070E0000-0x00000000070E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4700-2-0x0000000073CE0000-0x00000000743CE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/4700-6-0x0000000004B30000-0x0000000004B31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4700-5-0x0000000004F90000-0x0000000004F91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4700-3-0x0000000000240000-0x0000000000241000-memory.dmp
    Filesize

    4KB

    Download