snakekeylogger | a8f2984d5f05f009985afc0368ed1203380b3df4676996140a57011365108aac

General

Target

INVOICE-099990.exe
Size

600KB
MD5

0a73075a58f055c2af0403ee35887b65
SHA1

c1b30a2d00436ff430153a80adf64b0c0005d774
SHA256

a8f2984d5f05f009985afc0368ed1203380b3df4676996140a57011365108aac
SHA512

59e8af8503822bb5ef0d04ada0a1d0b3c08f5cc74878d64e26457db2757e759dc47ff8329e2612d610ac2fc35fd6fb57435620b74733e8a565f7b20f24201cb1

Score

10^/10

snakekeylogger keylogger ransomware stealer

Malware Config

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3976-6-0x0000000000400000-0x000000000046A000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 checkip.dyndns.org
14 freegeoip.app
15 freegeoip.app
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082
Suspicious use of SetThreadContext 1 IoCs

Processes:

INVOICE-099990.exe

description pid process target process

PID 3152 set thread context of 3976 3152 INVOICE-099990.exe MSBuild.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3884 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MSBuild.exe

pid process

3976 MSBuild.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

INVOICE-099990.exe

pid process

3152 INVOICE-099990.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 3976 MSBuild.exe

flow	ioc
11	checkip.dyndns.org
14	freegeoip.app
15	freegeoip.app

description	pid	process	target process
PID 3152 set thread context of 3976	3152	INVOICE-099990.exe	MSBuild.exe

pid	process
3884	schtasks.exe

pid	process
3976	MSBuild.exe

pid	process
3152	INVOICE-099990.exe

description	pid	process
Token: SeDebugPrivilege	3976	MSBuild.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

INVOICE-099990.execmd.exe

description	pid	process	target process
PID 3152 wrote to memory of 2704	3152	INVOICE-099990.exe	cmd.exe
PID 3152 wrote to memory of 2704	3152	INVOICE-099990.exe	cmd.exe
PID 3152 wrote to memory of 2704	3152	INVOICE-099990.exe	cmd.exe
PID 3152 wrote to memory of 3976	3152	INVOICE-099990.exe	MSBuild.exe
PID 3152 wrote to memory of 3976	3152	INVOICE-099990.exe	MSBuild.exe
PID 3152 wrote to memory of 3976	3152	INVOICE-099990.exe	MSBuild.exe
PID 3152 wrote to memory of 3976	3152	INVOICE-099990.exe	MSBuild.exe
PID 2704 wrote to memory of 3884	2704	cmd.exe	schtasks.exe
PID 2704 wrote to memory of 3884	2704	cmd.exe	schtasks.exe
PID 2704 wrote to memory of 3884	2704	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\INVOICE-099990.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-099990.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3152

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\00cff45d83b14c1088dbafa677647693.xml"
2⤵
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\00cff45d83b14c1088dbafa677647693.xml"
3⤵
- Creates scheduled task(s)
PID:3884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-099990.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00cff45d83b14c1088dbafa677647693.xml
MD5
a36564afc14b3eb0849c01a3afdb9944

SHA1
4dcee9fae3fde4e46b08529bc0ba067150686f07

SHA256
9d4342f763c5d62a06f69aa6fdcb1caa376ff2f2c0972f36b487f73b4d221996

SHA512
782082aa36ae056734e90fc079c813dfef59420571a1b70cde4cf15eb6c870f85b2bfe0748ef4db9df3d010c08671bff744d78178ba75bf2ba02b665f044ae89

Download Submit
memory/2704-2-0x0000000000000000-mapping.dmp

Download
memory/3884-5-0x0000000000000000-mapping.dmp

Download
memory/3976-3-0x00000000004643BE-mapping.dmp

Download
memory/3976-4-0x0000000072980000-0x000000007306E000-memory.dmp

Filesize
6.9MB

Download
memory/3976-6-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3976-9-0x0000000005CB0000-0x0000000005CB1000-memory.dmp

Filesize
4KB

Download
memory/3976-10-0x0000000005850000-0x0000000005851000-memory.dmp

Filesize
4KB

Download
memory/3976-11-0x00000000059A0000-0x00000000059A1000-memory.dmp

Filesize
4KB

Download
memory/3976-12-0x0000000006940000-0x0000000006941000-memory.dmp

Filesize
4KB

Download
memory/3976-13-0x0000000006B10000-0x0000000006B11000-memory.dmp

Filesize
4KB

Download
memory/3976-14-0x00000000068A0000-0x00000000068A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads