Overview

overview

10

Static

static

Scan document.exe

windows7_x64

10

Scan document.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    14-01-2021 19:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Scan document.exe

  • Size

    667KB

  • MD5

    3ae1b28cf2f2909ed5c5451653017a0a

  • SHA1

    726aaf44fb0761703f5044c858fe03644edc0063

  • SHA256

    218fa15ef4b6910a7dd996ed0b54df8dfae8f174013b4214971c91787654f7a4

  • SHA512

    3b133df737f66cfc8b54fd392a6b5a72a139e4f7d691ddd0674cecda5dd1cfaa2b583a1188bfad536318985ecb1f89d02fc778720b4ff19ba4b8cbfe8f4dfa0c

Score
10/10
snakekeyloggerkeyloggerstealer

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.ru
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    internationallove147

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger Payload 4 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Scan document.exe
    "C:\Users\Admin\AppData\Local\Temp\Scan document.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1824
    • C:\Windows\SysWOW64\SecEdit.exe
      "C:\Windows\System32\SecEdit.exe" /export /cfg C:\Users\Admin\AppData\Local\Temp\UserRights.cfg /areas User_Rights /log C:\Users\Admin\AppData\Local\Temp\UserRights.log
      2⤵
        PID:1332
      • C:\Windows\SysWOW64\SecEdit.exe
        "C:\Windows\System32\SecEdit.exe" /export /cfg C:\Users\Admin\AppData\Local\Temp\UserRights.cfg /areas User_Rights /log C:\Users\Admin\AppData\Local\Temp\UserRights.log
        2⤵
          PID:544
        • C:\Windows\SysWOW64\SecEdit.exe
          "C:\Windows\System32\SecEdit.exe" /export /cfg C:\Users\Admin\AppData\Local\Temp\UserRights.cfg /areas User_Rights /log C:\Users\Admin\AppData\Local\Temp\UserRights.log
          2⤵
            PID:368
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            2⤵
              PID:1300
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              2⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1744

          Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\UserRights.cfg
            MD5

            d353be64a3ac409d9531ec6311a55140

            SHA1

            8d0d07175aa4560ff251ab2d7994d5442233bc17

            SHA256

            487b44f8208125557ce533248c164f54112816af448902bc217785eaa958c84d

            SHA512

            4f65c265df334d7a0e8e434bd012c41409fff9858b1a4a6cd56c8d1fca50ad3f221baef74c07d6d76145fb1fb2deeb8b9011025b7b7ffa4960d7ff98c5ab0e4b

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\UserRights.cfg
            MD5

            dfd012ea179d6ffc84c07b5f3c19f7fd

            SHA1

            b5e4e2430f451f009f5391e6eac79b4bd5780934

            SHA256

            152f7b1f3be110b828bf30d46d8951bd54c169b7e4115b0bde2d3afb48dcc7bf

            SHA512

            746fbae6a07ce43aba5cd0afb8b0c577aec12fdfc35db477a805f1ddcfa3d67716d30f368d8b6cecdc8263878cc19a4a86e27c94c635234b0a2f45b83327a24f

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\UserRights.log
            MD5

            f3b25701fe362ec84616a93a45ce9998

            SHA1

            d62636d8caec13f04e28442a0a6fa1afeb024bbb

            SHA256

            b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

            SHA512

            98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\UserRights.log
            MD5

            f3b25701fe362ec84616a93a45ce9998

            SHA1

            d62636d8caec13f04e28442a0a6fa1afeb024bbb

            SHA256

            b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

            SHA512

            98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

            Download Submit
          • \??\PIPE\scerpc
            MD5

            d41d8cd98f00b204e9800998ecf8427e

            SHA1

            da39a3ee5e6b4b0d3255bfef95601890afd80709

            SHA256

            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

            SHA512

            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

            Download Submit
          • memory/368-9-0x0000000000000000-mapping.dmp
            Download
          • memory/544-6-0x0000000000000000-mapping.dmp
            Download
          • memory/1332-5-0x0000000000000000-mapping.dmp
            Download
          • memory/1744-16-0x000000000046474E-mapping.dmp
            Download
          • memory/1744-15-0x0000000000400000-0x000000000046A000-memory.dmp
            Filesize

            424KB

            Download
          • memory/1744-17-0x0000000000400000-0x000000000046A000-memory.dmp
            Filesize

            424KB

            Download
          • memory/1744-18-0x0000000000400000-0x000000000046A000-memory.dmp
            Filesize

            424KB

            Download
          • memory/1744-19-0x0000000072D60000-0x000000007344E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/1824-3-0x0000000000910000-0x0000000000911000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1824-2-0x0000000073980000-0x000000007406E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/1824-13-0x0000000007F90000-0x0000000008021000-memory.dmp
            Filesize

            580KB

            Download
          • memory/1824-14-0x0000000004350000-0x000000000435F000-memory.dmp
            Filesize

            60KB

            Download