Analysis
-
max time kernel
14s -
max time network
116s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-01-2021 12:04
Static task
static1
Behavioral task
behavioral1
Sample
INV0009876.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
INV0009876.exe
Resource
win10v20201028
General
-
Target
INV0009876.exe
-
Size
666KB
-
MD5
2f7ea13f989e231b54104840f0ca91ce
-
SHA1
69e1a342cfaed1eaf5e3daa0427a3715be32c967
-
SHA256
3bea531a02c14fe09f631ee0f957d12bbf07085c666ee0c5f05de926e88d40c8
-
SHA512
8abee6f0b36140e1404279d8a3e71c8bce5e2168cdc2f128349e439e95860d5ccaf1905bc585d6a0fd51d050a56ebfb6819f9836ac6422281ed5dab6cd410fd3
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/788-8-0x000000000046412E-mapping.dmp family_snakekeylogger behavioral1/memory/788-7-0x0000000000400000-0x000000000046A000-memory.dmp family_snakekeylogger behavioral1/memory/788-11-0x0000000000400000-0x000000000046A000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org 10 freegeoip.app 11 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
INV0009876.exedescription pid process target process PID 2028 set thread context of 788 2028 INV0009876.exe RegAsm.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1720 2028 WerFault.exe INV0009876.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
RegAsm.exeWerFault.exepid process 788 RegAsm.exe 1720 WerFault.exe 1720 WerFault.exe 1720 WerFault.exe 1720 WerFault.exe 1720 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RegAsm.exeWerFault.exedescription pid process Token: SeDebugPrivilege 788 RegAsm.exe Token: SeDebugPrivilege 1720 WerFault.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
INV0009876.exedescription pid process target process PID 2028 wrote to memory of 788 2028 INV0009876.exe RegAsm.exe PID 2028 wrote to memory of 788 2028 INV0009876.exe RegAsm.exe PID 2028 wrote to memory of 788 2028 INV0009876.exe RegAsm.exe PID 2028 wrote to memory of 788 2028 INV0009876.exe RegAsm.exe PID 2028 wrote to memory of 788 2028 INV0009876.exe RegAsm.exe PID 2028 wrote to memory of 788 2028 INV0009876.exe RegAsm.exe PID 2028 wrote to memory of 788 2028 INV0009876.exe RegAsm.exe PID 2028 wrote to memory of 788 2028 INV0009876.exe RegAsm.exe PID 2028 wrote to memory of 788 2028 INV0009876.exe RegAsm.exe PID 2028 wrote to memory of 788 2028 INV0009876.exe RegAsm.exe PID 2028 wrote to memory of 788 2028 INV0009876.exe RegAsm.exe PID 2028 wrote to memory of 788 2028 INV0009876.exe RegAsm.exe PID 2028 wrote to memory of 1720 2028 INV0009876.exe WerFault.exe PID 2028 wrote to memory of 1720 2028 INV0009876.exe WerFault.exe PID 2028 wrote to memory of 1720 2028 INV0009876.exe WerFault.exe PID 2028 wrote to memory of 1720 2028 INV0009876.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INV0009876.exe"C:\Users\Admin\AppData\Local\Temp\INV0009876.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 6602⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/788-14-0x0000000004990000-0x0000000004991000-memory.dmpFilesize
4KB
-
memory/788-8-0x000000000046412E-mapping.dmp
-
memory/788-7-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/788-9-0x0000000075C31000-0x0000000075C33000-memory.dmpFilesize
8KB
-
memory/788-10-0x0000000074EE0000-0x00000000755CE000-memory.dmpFilesize
6.9MB
-
memory/788-11-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1720-17-0x00000000007B0000-0x00000000007B1000-memory.dmpFilesize
4KB
-
memory/1720-16-0x0000000001ED0000-0x0000000001EE1000-memory.dmpFilesize
68KB
-
memory/1720-15-0x0000000000000000-mapping.dmp
-
memory/2028-6-0x0000000000530000-0x000000000053F000-memory.dmpFilesize
60KB
-
memory/2028-13-0x0000000004D10000-0x0000000004D11000-memory.dmpFilesize
4KB
-
memory/2028-2-0x0000000074EE0000-0x00000000755CE000-memory.dmpFilesize
6.9MB
-
memory/2028-5-0x00000000007B0000-0x0000000000841000-memory.dmpFilesize
580KB
-
memory/2028-3-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB