snakekeylogger | 207942189e81358c6fb92ad355747146ffa7465ba8563b178bdc6f57ae4e0afb

General

Target

Pick-Up Schedule.com.exe
Size

751KB
MD5

d0d5e54bec67f0d0d382865d3cc7c688
SHA1

b6eeb227349d15fd64ec30fc3888c2cc90b8fc13
SHA256

207942189e81358c6fb92ad355747146ffa7465ba8563b178bdc6f57ae4e0afb
SHA512

bb015d52d51de322ea07a34f772c79cb8af3b3a7cf0db8ad5214e7e983e3041ddc89a683b791dded835688191087e59775353fa067416a4a9b75484bf9d56c4c

Score

10^/10

snakekeylogger keylogger ransomware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
smt.treat@yandex.com
Password:
WyhjVTBX5hjrgu7

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1784-14-0x0000000000400000-0x000000000046A000-memory.dmp	family_snakekeylogger
behavioral1/memory/1784-15-0x000000000046463E-mapping.dmp	family_snakekeylogger
behavioral1/memory/1784-21-0x0000000000400000-0x000000000046A000-memory.dmp	family_snakekeylogger

Drops startup file 2 IoCs

Processes:

Powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe	Powershell.exe

Loads dropped DLL 5 IoCs

Processes:

WerFault.exe

pid process

1680 WerFault.exe
1680 WerFault.exe
1680 WerFault.exe
1680 WerFault.exe
1680 WerFault.exe
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 freegeoip.app
4 checkip.dyndns.org
14 freegeoip.app
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082
Suspicious use of SetThreadContext 1 IoCs

Processes:

Pick-Up Schedule.com.exe

description pid process target process

PID 776 set thread context of 1784 776 Pick-Up Schedule.com.exe RegAsm.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1680 776 WerFault.exe Pick-Up Schedule.com.exe

pid	process
1680	WerFault.exe
1680	WerFault.exe
1680	WerFault.exe
1680	WerFault.exe
1680	WerFault.exe

flow	ioc
15	freegeoip.app
4	checkip.dyndns.org
14	freegeoip.app

description	pid	process	target process
PID 776 set thread context of 1784	776	Pick-Up Schedule.com.exe	RegAsm.exe

pid	pid_target	process	target process
1680	776	WerFault.exe	Pick-Up Schedule.com.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Powershell.exePick-Up Schedule.com.exeRegAsm.exeWerFault.exe

pid	process
1976	Powershell.exe
776	Pick-Up Schedule.com.exe
776	Pick-Up Schedule.com.exe
1784	RegAsm.exe
1976	Powershell.exe
1680	WerFault.exe
1680	WerFault.exe
1680	WerFault.exe
1680	WerFault.exe
1680	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1680 WerFault.exe

pid	process
1680	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Powershell.exePick-Up Schedule.com.exeRegAsm.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	1976	Powershell.exe
Token: SeDebugPrivilege	776	Pick-Up Schedule.com.exe
Token: SeDebugPrivilege	1784	RegAsm.exe
Token: SeDebugPrivilege	1680	WerFault.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

Pick-Up Schedule.com.exe

description	pid	process	target process
PID 776 wrote to memory of 1976	776	Pick-Up Schedule.com.exe	Powershell.exe
PID 776 wrote to memory of 1976	776	Pick-Up Schedule.com.exe	Powershell.exe
PID 776 wrote to memory of 1976	776	Pick-Up Schedule.com.exe	Powershell.exe
PID 776 wrote to memory of 1976	776	Pick-Up Schedule.com.exe	Powershell.exe
PID 776 wrote to memory of 1800	776	Pick-Up Schedule.com.exe	RegAsm.exe
PID 776 wrote to memory of 1800	776	Pick-Up Schedule.com.exe	RegAsm.exe
PID 776 wrote to memory of 1800	776	Pick-Up Schedule.com.exe	RegAsm.exe
PID 776 wrote to memory of 1800	776	Pick-Up Schedule.com.exe	RegAsm.exe
PID 776 wrote to memory of 1800	776	Pick-Up Schedule.com.exe	RegAsm.exe
PID 776 wrote to memory of 1800	776	Pick-Up Schedule.com.exe	RegAsm.exe
PID 776 wrote to memory of 1800	776	Pick-Up Schedule.com.exe	RegAsm.exe
PID 776 wrote to memory of 1784	776	Pick-Up Schedule.com.exe	RegAsm.exe
PID 776 wrote to memory of 1784	776	Pick-Up Schedule.com.exe	RegAsm.exe
PID 776 wrote to memory of 1784	776	Pick-Up Schedule.com.exe	RegAsm.exe
PID 776 wrote to memory of 1784	776	Pick-Up Schedule.com.exe	RegAsm.exe
PID 776 wrote to memory of 1784	776	Pick-Up Schedule.com.exe	RegAsm.exe
PID 776 wrote to memory of 1784	776	Pick-Up Schedule.com.exe	RegAsm.exe
PID 776 wrote to memory of 1784	776	Pick-Up Schedule.com.exe	RegAsm.exe
PID 776 wrote to memory of 1784	776	Pick-Up Schedule.com.exe	RegAsm.exe
PID 776 wrote to memory of 1784	776	Pick-Up Schedule.com.exe	RegAsm.exe
PID 776 wrote to memory of 1784	776	Pick-Up Schedule.com.exe	RegAsm.exe
PID 776 wrote to memory of 1784	776	Pick-Up Schedule.com.exe	RegAsm.exe
PID 776 wrote to memory of 1784	776	Pick-Up Schedule.com.exe	RegAsm.exe
PID 776 wrote to memory of 1680	776	Pick-Up Schedule.com.exe	WerFault.exe
PID 776 wrote to memory of 1680	776	Pick-Up Schedule.com.exe	WerFault.exe
PID 776 wrote to memory of 1680	776	Pick-Up Schedule.com.exe	WerFault.exe
PID 776 wrote to memory of 1680	776	Pick-Up Schedule.com.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Pick-Up Schedule.com.exe
"C:\Users\Admin\AppData\Local\Temp\Pick-Up Schedule.com.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Pick-Up Schedule.com.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 1136
2⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Pick-Up Schedule.com.exe
MD5
d0d5e54bec67f0d0d382865d3cc7c688

SHA1
b6eeb227349d15fd64ec30fc3888c2cc90b8fc13

SHA256
207942189e81358c6fb92ad355747146ffa7465ba8563b178bdc6f57ae4e0afb

SHA512
bb015d52d51de322ea07a34f772c79cb8af3b3a7cf0db8ad5214e7e983e3041ddc89a683b791dded835688191087e59775353fa067416a4a9b75484bf9d56c4c

Download Submit
\Users\Admin\AppData\Local\Temp\Pick-Up Schedule.com.exe
MD5
d0d5e54bec67f0d0d382865d3cc7c688

SHA1
b6eeb227349d15fd64ec30fc3888c2cc90b8fc13

SHA256
207942189e81358c6fb92ad355747146ffa7465ba8563b178bdc6f57ae4e0afb

SHA512
bb015d52d51de322ea07a34f772c79cb8af3b3a7cf0db8ad5214e7e983e3041ddc89a683b791dded835688191087e59775353fa067416a4a9b75484bf9d56c4c

Download Submit
\Users\Admin\AppData\Local\Temp\Pick-Up Schedule.com.exe
MD5
d0d5e54bec67f0d0d382865d3cc7c688

SHA1
b6eeb227349d15fd64ec30fc3888c2cc90b8fc13

SHA256
207942189e81358c6fb92ad355747146ffa7465ba8563b178bdc6f57ae4e0afb

SHA512
bb015d52d51de322ea07a34f772c79cb8af3b3a7cf0db8ad5214e7e983e3041ddc89a683b791dded835688191087e59775353fa067416a4a9b75484bf9d56c4c

Download Submit
\Users\Admin\AppData\Local\Temp\Pick-Up Schedule.com.exe
MD5
d0d5e54bec67f0d0d382865d3cc7c688

SHA1
b6eeb227349d15fd64ec30fc3888c2cc90b8fc13

SHA256
207942189e81358c6fb92ad355747146ffa7465ba8563b178bdc6f57ae4e0afb

SHA512
bb015d52d51de322ea07a34f772c79cb8af3b3a7cf0db8ad5214e7e983e3041ddc89a683b791dded835688191087e59775353fa067416a4a9b75484bf9d56c4c

Download Submit
\Users\Admin\AppData\Local\Temp\Pick-Up Schedule.com.exe
MD5
d0d5e54bec67f0d0d382865d3cc7c688

SHA1
b6eeb227349d15fd64ec30fc3888c2cc90b8fc13

SHA256
207942189e81358c6fb92ad355747146ffa7465ba8563b178bdc6f57ae4e0afb

SHA512
bb015d52d51de322ea07a34f772c79cb8af3b3a7cf0db8ad5214e7e983e3041ddc89a683b791dded835688191087e59775353fa067416a4a9b75484bf9d56c4c

Download Submit
memory/776-13-0x00000000009A0000-0x00000000009AF000-memory.dmp

Filesize
60KB

Download
memory/776-19-0x0000000004EF6000-0x0000000004EF7000-memory.dmp

Filesize
4KB

Download
memory/776-9-0x0000000004EE5000-0x0000000004EF6000-memory.dmp

Filesize
68KB

Download
memory/776-2-0x0000000073D40000-0x000000007442E000-memory.dmp

Filesize
6.9MB

Download
memory/776-6-0x0000000005020000-0x0000000005096000-memory.dmp

Filesize
472KB

Download
memory/776-26-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/776-3-0x00000000012E0000-0x00000000012E1000-memory.dmp

Filesize
4KB

Download
memory/776-5-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/1680-51-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1680-45-0x0000000001EB0000-0x0000000001EC1000-memory.dmp

Filesize
68KB

Download
memory/1680-44-0x0000000000000000-mapping.dmp

Download
memory/1784-15-0x000000000046463E-mapping.dmp

Download
memory/1784-14-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1784-20-0x0000000073D40000-0x000000007442E000-memory.dmp

Filesize
6.9MB

Download
memory/1784-21-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1784-25-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/1976-11-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/1976-29-0x0000000005FF0000-0x0000000005FF1000-memory.dmp

Filesize
4KB

Download
memory/1976-34-0x0000000006040000-0x0000000006041000-memory.dmp

Filesize
4KB

Download
memory/1976-35-0x0000000006180000-0x0000000006181000-memory.dmp

Filesize
4KB

Download
memory/1976-42-0x0000000006280000-0x0000000006281000-memory.dmp

Filesize
4KB

Download
memory/1976-43-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1976-24-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/1976-23-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/1976-17-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/1976-18-0x00000000027A2000-0x00000000027A3000-memory.dmp

Filesize
4KB

Download
memory/1976-12-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/1976-10-0x0000000073D40000-0x000000007442E000-memory.dmp

Filesize
6.9MB

Download
memory/1976-8-0x0000000075C61000-0x0000000075C63000-memory.dmp

Filesize
8KB

Download
memory/1976-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads