Analysis
-
max time kernel
16s -
max time network
114s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 18:51
Static task
static1
Behavioral task
behavioral1
Sample
000000000009000000.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
000000000009000000.exe
Resource
win10v20201028
General
-
Target
000000000009000000.exe
-
Size
2.0MB
-
MD5
461c2f7a18021fc7dacfc9b56a0e7f23
-
SHA1
beb1a5817802137d5a59aa901670a87590a7b02c
-
SHA256
0d5b8fae3f5a14d0cccf3e1390d1d1bb8e7a5f09a34d77a7239a359cff80404e
-
SHA512
4ec980338e4c2cc3a71cb8a6a663682e5aa595b0aebabb040ae72cc4c00d7c970b8f9acb9e189e9da67ef27163309f72f2e1cfbd0a73e9ac6bda3f61528e83fb
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1648-7-0x0000000000400000-0x000000000046A000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 freegeoip.app 11 freegeoip.app 5 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
000000000009000000.exedescription pid process target process PID 1832 set thread context of 1648 1832 000000000009000000.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
MSBuild.exepid process 1648 MSBuild.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
000000000009000000.exepid process 1832 000000000009000000.exe 1832 000000000009000000.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 1648 MSBuild.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
000000000009000000.exepid process 1832 000000000009000000.exe 1832 000000000009000000.exe 1832 000000000009000000.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
000000000009000000.exepid process 1832 000000000009000000.exe 1832 000000000009000000.exe 1832 000000000009000000.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
000000000009000000.exedescription pid process target process PID 1832 wrote to memory of 1748 1832 000000000009000000.exe MSBuild.exe PID 1832 wrote to memory of 1748 1832 000000000009000000.exe MSBuild.exe PID 1832 wrote to memory of 1748 1832 000000000009000000.exe MSBuild.exe PID 1832 wrote to memory of 1748 1832 000000000009000000.exe MSBuild.exe PID 1832 wrote to memory of 1648 1832 000000000009000000.exe MSBuild.exe PID 1832 wrote to memory of 1648 1832 000000000009000000.exe MSBuild.exe PID 1832 wrote to memory of 1648 1832 000000000009000000.exe MSBuild.exe PID 1832 wrote to memory of 1648 1832 000000000009000000.exe MSBuild.exe PID 1832 wrote to memory of 1648 1832 000000000009000000.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\000000000009000000.exe"C:\Users\Admin\AppData\Local\Temp\000000000009000000.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1648-3-0x00000000004643BE-mapping.dmp
-
memory/1648-4-0x0000000073980000-0x000000007406E000-memory.dmpFilesize
6.9MB
-
memory/1648-7-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1648-9-0x0000000004D80000-0x0000000004D81000-memory.dmpFilesize
4KB
-
memory/1832-2-0x0000000075DE1000-0x0000000075DE3000-memory.dmpFilesize
8KB
-
memory/1832-5-0x00000000026E0000-0x0000000002743000-memory.dmpFilesize
396KB
-
memory/1832-6-0x00000000001A0000-0x00000000001A3000-memory.dmpFilesize
12KB