Analysis
-
max time kernel
108s -
max time network
109s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-01-2021 18:51
Static task
static1
Behavioral task
behavioral1
Sample
000000000009000000.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
000000000009000000.exe
Resource
win10v20201028
General
-
Target
000000000009000000.exe
-
Size
2.0MB
-
MD5
461c2f7a18021fc7dacfc9b56a0e7f23
-
SHA1
beb1a5817802137d5a59aa901670a87590a7b02c
-
SHA256
0d5b8fae3f5a14d0cccf3e1390d1d1bb8e7a5f09a34d77a7239a359cff80404e
-
SHA512
4ec980338e4c2cc3a71cb8a6a663682e5aa595b0aebabb040ae72cc4c00d7c970b8f9acb9e189e9da67ef27163309f72f2e1cfbd0a73e9ac6bda3f61528e83fb
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3628-6-0x0000000000400000-0x000000000046A000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 checkip.dyndns.org 13 freegeoip.app 14 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
000000000009000000.exedescription pid process target process PID 504 set thread context of 3628 504 000000000009000000.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
MSBuild.exepid process 3628 MSBuild.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
000000000009000000.exepid process 504 000000000009000000.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 3628 MSBuild.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
000000000009000000.exepid process 504 000000000009000000.exe 504 000000000009000000.exe 504 000000000009000000.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
000000000009000000.exepid process 504 000000000009000000.exe 504 000000000009000000.exe 504 000000000009000000.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
000000000009000000.exedescription pid process target process PID 504 wrote to memory of 3628 504 000000000009000000.exe MSBuild.exe PID 504 wrote to memory of 3628 504 000000000009000000.exe MSBuild.exe PID 504 wrote to memory of 3628 504 000000000009000000.exe MSBuild.exe PID 504 wrote to memory of 3628 504 000000000009000000.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\000000000009000000.exe"C:\Users\Admin\AppData\Local\Temp\000000000009000000.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/504-4-0x0000000003530000-0x0000000003593000-memory.dmpFilesize
396KB
-
memory/504-5-0x0000000000BF0000-0x0000000000BF3000-memory.dmpFilesize
12KB
-
memory/3628-2-0x00000000004643BE-mapping.dmp
-
memory/3628-3-0x00000000736C0000-0x0000000073DAE000-memory.dmpFilesize
6.9MB
-
memory/3628-6-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/3628-8-0x00000000057E0000-0x00000000057E1000-memory.dmpFilesize
4KB
-
memory/3628-9-0x0000000005380000-0x0000000005381000-memory.dmpFilesize
4KB
-
memory/3628-10-0x0000000005270000-0x0000000005271000-memory.dmpFilesize
4KB
-
memory/3628-11-0x00000000062B0000-0x00000000062B1000-memory.dmpFilesize
4KB
-
memory/3628-12-0x0000000006480000-0x0000000006481000-memory.dmpFilesize
4KB
-
memory/3628-13-0x00000000061F0000-0x00000000061F1000-memory.dmpFilesize
4KB