Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-01-2021 06:39
Static task
static1
Behavioral task
behavioral1
Sample
Zz92XfcijKVXcny.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Zz92XfcijKVXcny.exe
Resource
win10v20201028
General
-
Target
Zz92XfcijKVXcny.exe
-
Size
1.4MB
-
MD5
bfcd8470a0944381db7660977261f9db
-
SHA1
44c413af5e0479fabb0486151cc6d2bdff33de6a
-
SHA256
ed8596ea2c9c957127281b2a4380c20f6ef825a4f6f0814094975c66bc5ebec1
-
SHA512
e336045d1a8247385d073205fdce676cdac5593af2b6003c8a7b828bf2e2a3eda61da439574721d55cd63b942982278af3c05e78f0d1cd7df388f9134497d45d
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2344-15-0x0000000000400000-0x000000000046A000-memory.dmp family_snakekeylogger behavioral2/memory/2344-16-0x000000000046573E-mapping.dmp family_snakekeylogger -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 checkip.dyndns.org 19 freegeoip.app 20 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Zz92XfcijKVXcny.exedescription pid process target process PID 3108 set thread context of 2344 3108 Zz92XfcijKVXcny.exe Zz92XfcijKVXcny.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
Zz92XfcijKVXcny.exeZz92XfcijKVXcny.exepid process 3108 Zz92XfcijKVXcny.exe 3108 Zz92XfcijKVXcny.exe 3108 Zz92XfcijKVXcny.exe 2344 Zz92XfcijKVXcny.exe 2344 Zz92XfcijKVXcny.exe 2344 Zz92XfcijKVXcny.exe 2344 Zz92XfcijKVXcny.exe 2344 Zz92XfcijKVXcny.exe 2344 Zz92XfcijKVXcny.exe 2344 Zz92XfcijKVXcny.exe 2344 Zz92XfcijKVXcny.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Zz92XfcijKVXcny.exeZz92XfcijKVXcny.exedescription pid process Token: SeDebugPrivilege 3108 Zz92XfcijKVXcny.exe Token: SeDebugPrivilege 2344 Zz92XfcijKVXcny.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Zz92XfcijKVXcny.exedescription pid process target process PID 3108 wrote to memory of 4000 3108 Zz92XfcijKVXcny.exe schtasks.exe PID 3108 wrote to memory of 4000 3108 Zz92XfcijKVXcny.exe schtasks.exe PID 3108 wrote to memory of 4000 3108 Zz92XfcijKVXcny.exe schtasks.exe PID 3108 wrote to memory of 2344 3108 Zz92XfcijKVXcny.exe Zz92XfcijKVXcny.exe PID 3108 wrote to memory of 2344 3108 Zz92XfcijKVXcny.exe Zz92XfcijKVXcny.exe PID 3108 wrote to memory of 2344 3108 Zz92XfcijKVXcny.exe Zz92XfcijKVXcny.exe PID 3108 wrote to memory of 2344 3108 Zz92XfcijKVXcny.exe Zz92XfcijKVXcny.exe PID 3108 wrote to memory of 2344 3108 Zz92XfcijKVXcny.exe Zz92XfcijKVXcny.exe PID 3108 wrote to memory of 2344 3108 Zz92XfcijKVXcny.exe Zz92XfcijKVXcny.exe PID 3108 wrote to memory of 2344 3108 Zz92XfcijKVXcny.exe Zz92XfcijKVXcny.exe PID 3108 wrote to memory of 2344 3108 Zz92XfcijKVXcny.exe Zz92XfcijKVXcny.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Zz92XfcijKVXcny.exe"C:\Users\Admin\AppData\Local\Temp\Zz92XfcijKVXcny.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xHfHWx" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE16D.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Zz92XfcijKVXcny.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Zz92XfcijKVXcny.exe.logMD5
b4f7a6a57cb46d94b72410eb6a6d45a9
SHA169f3596ffa027202d391444b769ceea0ae14c5f7
SHA25623994ebe221a48ea16ebad51ae0d4b47ccd415ae10581f9405e588d4f6c2523b
SHA512be6da516e54c3a5b33ac2603137a2f8cf8445ff5961dd266faedf3627bae8979953d7ef305538df0151c609917a5b99bf5d023bdd32de50fd5c723950f90db5c
-
C:\Users\Admin\AppData\Local\Temp\tmpE16D.tmpMD5
604a681dc3f2fbce3c5c53922d8c0a37
SHA121b6632107049deaf059ad4018bedc54c78ac802
SHA256d7f8292013c2920107f68bc7f50f4ad7db9bcac8898819de14b23316e0ea93c0
SHA51249a838a7247b8e90d4a5f5b60e0f39a2866f2b534312a3c2b3c0529ae033df79160ad97735ce348e2e97b8c9884621508927f8dd7cc8ccecb4997bb1282b4c53
-
memory/2344-24-0x0000000006470000-0x0000000006471000-memory.dmpFilesize
4KB
-
memory/2344-23-0x0000000005250000-0x0000000005251000-memory.dmpFilesize
4KB
-
memory/2344-18-0x00000000739A0000-0x000000007408E000-memory.dmpFilesize
6.9MB
-
memory/2344-16-0x000000000046573E-mapping.dmp
-
memory/2344-15-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/3108-7-0x000000000A660000-0x000000000A661000-memory.dmpFilesize
4KB
-
memory/3108-11-0x0000000004F40000-0x0000000004FD3000-memory.dmpFilesize
588KB
-
memory/3108-12-0x0000000005090000-0x0000000005091000-memory.dmpFilesize
4KB
-
memory/3108-10-0x000000000A950000-0x000000000A95E000-memory.dmpFilesize
56KB
-
memory/3108-9-0x000000000A610000-0x000000000A611000-memory.dmpFilesize
4KB
-
memory/3108-8-0x0000000004E20000-0x0000000004E21000-memory.dmpFilesize
4KB
-
memory/3108-2-0x00000000739A0000-0x000000007408E000-memory.dmpFilesize
6.9MB
-
memory/3108-6-0x000000000A9C0000-0x000000000A9C1000-memory.dmpFilesize
4KB
-
memory/3108-5-0x0000000004D40000-0x0000000004DC1000-memory.dmpFilesize
516KB
-
memory/3108-3-0x0000000000310000-0x0000000000311000-memory.dmpFilesize
4KB
-
memory/4000-13-0x0000000000000000-mapping.dmp