Overview

overview

10

Static

static

0009099889000.exe

windows7_x64

10

0009099889000.exe

windows10_x64

10

Analysis

  • max time kernel
    18s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    19-01-2021 07:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0009099889000.exe

  • Size

    669KB

  • MD5

    edab703ee29783721ea20698a5b612a0

  • SHA1

    64bb591072817159806aea7c850a2f63527138ea

  • SHA256

    9acf2d500081ec8152e15e994cd78b6bc7ac0b5bc812cd92e091a9b49d619cbb

  • SHA512

    0b31f7945823a3efb641db5f087849ef0e1113fd5a4e67b1b080d1b201cc863de8d0ec3471bf1dfe01da00256b3ebbf5fee9f299cdddb9c1df1b732344c9baf1

Score
10/10
snakekeyloggerkeyloggerstealer

Malware Config

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger Payload 3 IoCs
  • Drops startup file 2 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0009099889000.exe
    "C:\Users\Admin\AppData\Local\Temp\0009099889000.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:324
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
      "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\0009099889000.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
      2⤵
      • Drops startup file
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1776
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1456
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 664
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1600

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/324-2-0x0000000074DA0000-0x000000007548E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/324-3-0x0000000000960000-0x0000000000961000-memory.dmp
    Filesize

    4KB

    Download
  • memory/324-5-0x0000000004B50000-0x0000000004BE1000-memory.dmp
    Filesize

    580KB

    Download
  • memory/324-6-0x0000000001FC0000-0x0000000001FC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/324-12-0x0000000000370000-0x000000000037F000-memory.dmp
    Filesize

    60KB

    Download
  • memory/1456-18-0x0000000000400000-0x000000000046A000-memory.dmp
    Filesize

    424KB

    Download
  • memory/1456-21-0x0000000001330000-0x0000000001331000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1456-13-0x0000000000400000-0x000000000046A000-memory.dmp
    Filesize

    424KB

    Download
  • memory/1456-14-0x00000000004643BE-mapping.dmp
    Download
  • memory/1456-15-0x0000000074DA0000-0x000000007548E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1600-42-0x0000000000270000-0x0000000000271000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1600-41-0x00000000021A0000-0x00000000021B1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1600-40-0x0000000000000000-mapping.dmp
    Download
  • memory/1776-9-0x0000000074DA0000-0x000000007548E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1776-30-0x000000007EF30000-0x000000007EF31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1776-16-0x0000000004910000-0x0000000004911000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1776-20-0x0000000004750000-0x0000000004751000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1776-11-0x0000000004950000-0x0000000004951000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1776-22-0x0000000005240000-0x0000000005241000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1776-25-0x0000000006030000-0x0000000006031000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1776-17-0x0000000004912000-0x0000000004913000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1776-31-0x0000000006080000-0x0000000006081000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1776-32-0x0000000006170000-0x0000000006171000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1776-39-0x0000000006280000-0x0000000006281000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1776-10-0x0000000002190000-0x0000000002191000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1776-8-0x00000000766C1000-0x00000000766C3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1776-7-0x0000000000000000-mapping.dmp
    Download