Analysis
-
max time kernel
107s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-01-2021 12:04
Static task
static1
Behavioral task
behavioral1
Sample
INV0009876.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
INV0009876.exe
Resource
win10v20201028
General
-
Target
INV0009876.exe
-
Size
666KB
-
MD5
2f7ea13f989e231b54104840f0ca91ce
-
SHA1
69e1a342cfaed1eaf5e3daa0427a3715be32c967
-
SHA256
3bea531a02c14fe09f631ee0f957d12bbf07085c666ee0c5f05de926e88d40c8
-
SHA512
8abee6f0b36140e1404279d8a3e71c8bce5e2168cdc2f128349e439e95860d5ccaf1905bc585d6a0fd51d050a56ebfb6819f9836ac6422281ed5dab6cd410fd3
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2664-12-0x0000000000400000-0x000000000046A000-memory.dmp family_snakekeylogger behavioral2/memory/2664-13-0x000000000046412E-mapping.dmp family_snakekeylogger -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 checkip.dyndns.org 14 freegeoip.app 15 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
INV0009876.exedescription pid process target process PID 496 set thread context of 2664 496 INV0009876.exe RegAsm.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3100 496 WerFault.exe INV0009876.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
RegAsm.exeWerFault.exepid process 2664 RegAsm.exe 3100 WerFault.exe 3100 WerFault.exe 3100 WerFault.exe 3100 WerFault.exe 3100 WerFault.exe 3100 WerFault.exe 3100 WerFault.exe 3100 WerFault.exe 3100 WerFault.exe 3100 WerFault.exe 3100 WerFault.exe 3100 WerFault.exe 3100 WerFault.exe 3100 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
RegAsm.exeWerFault.exedescription pid process Token: SeDebugPrivilege 2664 RegAsm.exe Token: SeRestorePrivilege 3100 WerFault.exe Token: SeBackupPrivilege 3100 WerFault.exe Token: SeDebugPrivilege 3100 WerFault.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
INV0009876.exedescription pid process target process PID 496 wrote to memory of 2664 496 INV0009876.exe RegAsm.exe PID 496 wrote to memory of 2664 496 INV0009876.exe RegAsm.exe PID 496 wrote to memory of 2664 496 INV0009876.exe RegAsm.exe PID 496 wrote to memory of 2664 496 INV0009876.exe RegAsm.exe PID 496 wrote to memory of 2664 496 INV0009876.exe RegAsm.exe PID 496 wrote to memory of 2664 496 INV0009876.exe RegAsm.exe PID 496 wrote to memory of 2664 496 INV0009876.exe RegAsm.exe PID 496 wrote to memory of 2664 496 INV0009876.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INV0009876.exe"C:\Users\Admin\AppData\Local\Temp\INV0009876.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 11762⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/496-11-0x0000000005840000-0x0000000005841000-memory.dmpFilesize
4KB
-
memory/496-9-0x00000000057A0000-0x00000000057A1000-memory.dmpFilesize
4KB
-
memory/496-5-0x0000000005A20000-0x0000000005A21000-memory.dmpFilesize
4KB
-
memory/496-6-0x00000000055C0000-0x00000000055C1000-memory.dmpFilesize
4KB
-
memory/496-2-0x0000000073360000-0x0000000073A4E000-memory.dmpFilesize
6.9MB
-
memory/496-8-0x0000000005F20000-0x0000000005F21000-memory.dmpFilesize
4KB
-
memory/496-3-0x0000000000C70000-0x0000000000C71000-memory.dmpFilesize
4KB
-
memory/496-10-0x00000000055A0000-0x00000000055AF000-memory.dmpFilesize
60KB
-
memory/496-7-0x0000000005660000-0x00000000056F1000-memory.dmpFilesize
580KB
-
memory/496-19-0x0000000005790000-0x0000000005791000-memory.dmpFilesize
4KB
-
memory/2664-13-0x000000000046412E-mapping.dmp
-
memory/2664-14-0x0000000073360000-0x0000000073A4E000-memory.dmpFilesize
6.9MB
-
memory/2664-12-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/2664-20-0x0000000005380000-0x0000000005381000-memory.dmpFilesize
4KB
-
memory/2664-22-0x0000000006230000-0x0000000006231000-memory.dmpFilesize
4KB
-
memory/3100-21-0x0000000004A60000-0x0000000004A61000-memory.dmpFilesize
4KB