Analysis
-
max time kernel
80s -
max time network
81s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
27-01-2021 14:28
Static task
static1
Behavioral task
behavioral1
Sample
Due Invoices for 2020.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Due Invoices for 2020.exe
Resource
win10v20201028
General
-
Target
Due Invoices for 2020.exe
-
Size
739KB
-
MD5
e93485dbb2ff29e594629293f850914f
-
SHA1
2c79c97cbf9fcb3e1859f4d89b1d0c8e26e03822
-
SHA256
0b32f0d8ef0ef999d370afa5a8d00a176c5335ccc69ea4370a20df9ee14616ef
-
SHA512
3b040a07bce553390de45342a711449771e65b25e6d7acf55daf01134b9b2e0fcc56dd5f9621dc422f8b5a1096fc45c71540610fd761ec32bedf0b5f710d3b15
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/860-7-0x0000000000400000-0x000000000046A000-memory.dmp family_snakekeylogger behavioral1/memory/860-8-0x00000000004642CE-mapping.dmp family_snakekeylogger -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Due Invoices for 2020.exedescription pid process target process PID 1080 set thread context of 860 1080 Due Invoices for 2020.exe RegSvcs.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Due Invoices for 2020.exeRegSvcs.exedescription pid process target process PID 1080 wrote to memory of 1668 1080 Due Invoices for 2020.exe schtasks.exe PID 1080 wrote to memory of 1668 1080 Due Invoices for 2020.exe schtasks.exe PID 1080 wrote to memory of 1668 1080 Due Invoices for 2020.exe schtasks.exe PID 1080 wrote to memory of 1668 1080 Due Invoices for 2020.exe schtasks.exe PID 1080 wrote to memory of 860 1080 Due Invoices for 2020.exe RegSvcs.exe PID 1080 wrote to memory of 860 1080 Due Invoices for 2020.exe RegSvcs.exe PID 1080 wrote to memory of 860 1080 Due Invoices for 2020.exe RegSvcs.exe PID 1080 wrote to memory of 860 1080 Due Invoices for 2020.exe RegSvcs.exe PID 1080 wrote to memory of 860 1080 Due Invoices for 2020.exe RegSvcs.exe PID 1080 wrote to memory of 860 1080 Due Invoices for 2020.exe RegSvcs.exe PID 1080 wrote to memory of 860 1080 Due Invoices for 2020.exe RegSvcs.exe PID 1080 wrote to memory of 860 1080 Due Invoices for 2020.exe RegSvcs.exe PID 1080 wrote to memory of 860 1080 Due Invoices for 2020.exe RegSvcs.exe PID 1080 wrote to memory of 860 1080 Due Invoices for 2020.exe RegSvcs.exe PID 1080 wrote to memory of 860 1080 Due Invoices for 2020.exe RegSvcs.exe PID 1080 wrote to memory of 860 1080 Due Invoices for 2020.exe RegSvcs.exe PID 860 wrote to memory of 780 860 RegSvcs.exe dw20.exe PID 860 wrote to memory of 780 860 RegSvcs.exe dw20.exe PID 860 wrote to memory of 780 860 RegSvcs.exe dw20.exe PID 860 wrote to memory of 780 860 RegSvcs.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Due Invoices for 2020.exe"C:\Users\Admin\AppData\Local\Temp\Due Invoices for 2020.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PavFVDcpLRPN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCC.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 3883⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpCC.tmpMD5
73148305bfc25bd48d1766b5eb68dcf9
SHA1f48f15a932ac0206b3b1d0aff2ff0a6739e92c7d
SHA25679700de3432554b465eecdc4ab8c650d05f0ed548455bce0e3d5d63c001404ea
SHA512b464a45357fdf27ffd90cca5c19a2576f4c243d3c3d1ecef1e64d2398cada2e31bbaa347a64f548a38cc802f655e7fce983a2933e6cb5b1187d6a9f2465673eb
-
memory/780-10-0x0000000000000000-mapping.dmp
-
memory/780-11-0x0000000001DE0000-0x0000000001DF1000-memory.dmpFilesize
68KB
-
memory/780-12-0x0000000002370000-0x0000000002381000-memory.dmpFilesize
68KB
-
memory/780-16-0x00000000023E0000-0x00000000023E1000-memory.dmpFilesize
4KB
-
memory/860-7-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/860-8-0x00000000004642CE-mapping.dmp
-
memory/860-15-0x0000000002330000-0x0000000002331000-memory.dmpFilesize
4KB
-
memory/1080-2-0x0000000075571000-0x0000000075573000-memory.dmpFilesize
8KB
-
memory/1080-3-0x0000000000BE0000-0x0000000000BE1000-memory.dmpFilesize
4KB
-
memory/1080-4-0x0000000000BE1000-0x0000000000BE2000-memory.dmpFilesize
4KB
-
memory/1668-5-0x0000000000000000-mapping.dmp