Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-01-2021 19:22
Static task
static1
Behavioral task
behavioral1
Sample
Scan document.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Scan document.exe
Resource
win10v20201028
General
-
Target
Scan document.exe
-
Size
667KB
-
MD5
3ae1b28cf2f2909ed5c5451653017a0a
-
SHA1
726aaf44fb0761703f5044c858fe03644edc0063
-
SHA256
218fa15ef4b6910a7dd996ed0b54df8dfae8f174013b4214971c91787654f7a4
-
SHA512
3b133df737f66cfc8b54fd392a6b5a72a139e4f7d691ddd0674cecda5dd1cfaa2b583a1188bfad536318985ecb1f89d02fc778720b4ff19ba4b8cbfe8f4dfa0c
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.ru - Port:
587 - Username:
[email protected] - Password:
internationallove147
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1744-16-0x000000000046474E-mapping.dmp family_snakekeylogger behavioral1/memory/1744-15-0x0000000000400000-0x000000000046A000-memory.dmp family_snakekeylogger behavioral1/memory/1744-17-0x0000000000400000-0x000000000046A000-memory.dmp family_snakekeylogger behavioral1/memory/1744-18-0x0000000000400000-0x000000000046A000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 checkip.dyndns.org 10 freegeoip.app 11 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Scan document.exedescription pid process target process PID 1824 set thread context of 1744 1824 Scan document.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Scan document.exeRegAsm.exepid process 1824 Scan document.exe 1824 Scan document.exe 1744 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Scan document.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 1824 Scan document.exe Token: SeDebugPrivilege 1744 RegAsm.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
Scan document.exedescription pid process target process PID 1824 wrote to memory of 1332 1824 Scan document.exe SecEdit.exe PID 1824 wrote to memory of 1332 1824 Scan document.exe SecEdit.exe PID 1824 wrote to memory of 1332 1824 Scan document.exe SecEdit.exe PID 1824 wrote to memory of 1332 1824 Scan document.exe SecEdit.exe PID 1824 wrote to memory of 544 1824 Scan document.exe SecEdit.exe PID 1824 wrote to memory of 544 1824 Scan document.exe SecEdit.exe PID 1824 wrote to memory of 544 1824 Scan document.exe SecEdit.exe PID 1824 wrote to memory of 544 1824 Scan document.exe SecEdit.exe PID 1824 wrote to memory of 368 1824 Scan document.exe SecEdit.exe PID 1824 wrote to memory of 368 1824 Scan document.exe SecEdit.exe PID 1824 wrote to memory of 368 1824 Scan document.exe SecEdit.exe PID 1824 wrote to memory of 368 1824 Scan document.exe SecEdit.exe PID 1824 wrote to memory of 1300 1824 Scan document.exe RegAsm.exe PID 1824 wrote to memory of 1300 1824 Scan document.exe RegAsm.exe PID 1824 wrote to memory of 1300 1824 Scan document.exe RegAsm.exe PID 1824 wrote to memory of 1300 1824 Scan document.exe RegAsm.exe PID 1824 wrote to memory of 1300 1824 Scan document.exe RegAsm.exe PID 1824 wrote to memory of 1300 1824 Scan document.exe RegAsm.exe PID 1824 wrote to memory of 1300 1824 Scan document.exe RegAsm.exe PID 1824 wrote to memory of 1744 1824 Scan document.exe RegAsm.exe PID 1824 wrote to memory of 1744 1824 Scan document.exe RegAsm.exe PID 1824 wrote to memory of 1744 1824 Scan document.exe RegAsm.exe PID 1824 wrote to memory of 1744 1824 Scan document.exe RegAsm.exe PID 1824 wrote to memory of 1744 1824 Scan document.exe RegAsm.exe PID 1824 wrote to memory of 1744 1824 Scan document.exe RegAsm.exe PID 1824 wrote to memory of 1744 1824 Scan document.exe RegAsm.exe PID 1824 wrote to memory of 1744 1824 Scan document.exe RegAsm.exe PID 1824 wrote to memory of 1744 1824 Scan document.exe RegAsm.exe PID 1824 wrote to memory of 1744 1824 Scan document.exe RegAsm.exe PID 1824 wrote to memory of 1744 1824 Scan document.exe RegAsm.exe PID 1824 wrote to memory of 1744 1824 Scan document.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Scan document.exe"C:\Users\Admin\AppData\Local\Temp\Scan document.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\SecEdit.exe"C:\Windows\System32\SecEdit.exe" /export /cfg C:\Users\Admin\AppData\Local\Temp\UserRights.cfg /areas User_Rights /log C:\Users\Admin\AppData\Local\Temp\UserRights.log2⤵
-
C:\Windows\SysWOW64\SecEdit.exe"C:\Windows\System32\SecEdit.exe" /export /cfg C:\Users\Admin\AppData\Local\Temp\UserRights.cfg /areas User_Rights /log C:\Users\Admin\AppData\Local\Temp\UserRights.log2⤵
-
C:\Windows\SysWOW64\SecEdit.exe"C:\Windows\System32\SecEdit.exe" /export /cfg C:\Users\Admin\AppData\Local\Temp\UserRights.cfg /areas User_Rights /log C:\Users\Admin\AppData\Local\Temp\UserRights.log2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\UserRights.cfgMD5
d353be64a3ac409d9531ec6311a55140
SHA18d0d07175aa4560ff251ab2d7994d5442233bc17
SHA256487b44f8208125557ce533248c164f54112816af448902bc217785eaa958c84d
SHA5124f65c265df334d7a0e8e434bd012c41409fff9858b1a4a6cd56c8d1fca50ad3f221baef74c07d6d76145fb1fb2deeb8b9011025b7b7ffa4960d7ff98c5ab0e4b
-
C:\Users\Admin\AppData\Local\Temp\UserRights.cfgMD5
dfd012ea179d6ffc84c07b5f3c19f7fd
SHA1b5e4e2430f451f009f5391e6eac79b4bd5780934
SHA256152f7b1f3be110b828bf30d46d8951bd54c169b7e4115b0bde2d3afb48dcc7bf
SHA512746fbae6a07ce43aba5cd0afb8b0c577aec12fdfc35db477a805f1ddcfa3d67716d30f368d8b6cecdc8263878cc19a4a86e27c94c635234b0a2f45b83327a24f
-
C:\Users\Admin\AppData\Local\Temp\UserRights.logMD5
f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Local\Temp\UserRights.logMD5
f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
\??\PIPE\scerpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/368-9-0x0000000000000000-mapping.dmp
-
memory/544-6-0x0000000000000000-mapping.dmp
-
memory/1332-5-0x0000000000000000-mapping.dmp
-
memory/1744-16-0x000000000046474E-mapping.dmp
-
memory/1744-15-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1744-17-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1744-18-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1744-19-0x0000000072D60000-0x000000007344E000-memory.dmpFilesize
6.9MB
-
memory/1824-3-0x0000000000910000-0x0000000000911000-memory.dmpFilesize
4KB
-
memory/1824-2-0x0000000073980000-0x000000007406E000-memory.dmpFilesize
6.9MB
-
memory/1824-13-0x0000000007F90000-0x0000000008021000-memory.dmpFilesize
580KB
-
memory/1824-14-0x0000000004350000-0x000000000435F000-memory.dmpFilesize
60KB