snakekeylogger | 0b32f0d8ef0ef999d370afa5a8d00a176c5335ccc69ea4370a20df9ee14616ef

General

Target

Due Invoices for 2020.exe
Size

739KB
MD5

e93485dbb2ff29e594629293f850914f
SHA1

2c79c97cbf9fcb3e1859f4d89b1d0c8e26e03822
SHA256

0b32f0d8ef0ef999d370afa5a8d00a176c5335ccc69ea4370a20df9ee14616ef
SHA512

3b040a07bce553390de45342a711449771e65b25e6d7acf55daf01134b9b2e0fcc56dd5f9621dc422f8b5a1096fc45c71540610fd761ec32bedf0b5f710d3b15

Score

10^/10

snakekeylogger keylogger ransomware stealer

Malware Config

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/680-5-0x0000000000400000-0x000000000046A000-memory.dmp	family_snakekeylogger
behavioral2/memory/680-6-0x00000000004642CE-mapping.dmp	family_snakekeylogger

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082
Suspicious use of SetThreadContext 1 IoCs

Processes:

Due Invoices for 2020.exe

description pid process target process

PID 4816 set thread context of 680 4816 Due Invoices for 2020.exe RegSvcs.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

64 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Due Invoices for 2020.exedw20.exe

pid process

4816 Due Invoices for 2020.exe
724 dw20.exe
724 dw20.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Due Invoices for 2020.exedw20.exe

description pid process

Token: SeDebugPrivilege 4816 Due Invoices for 2020.exe
Token: SeRestorePrivilege 724 dw20.exe
Token: SeBackupPrivilege 724 dw20.exe

description	pid	process	target process
PID 4816 set thread context of 680	4816	Due Invoices for 2020.exe	RegSvcs.exe

pid	process
64	schtasks.exe

pid	process
4816	Due Invoices for 2020.exe
724	dw20.exe
724	dw20.exe

description	pid	process
Token: SeDebugPrivilege	4816	Due Invoices for 2020.exe
Token: SeRestorePrivilege	724	dw20.exe
Token: SeBackupPrivilege	724	dw20.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Due Invoices for 2020.exeRegSvcs.exe

description	pid	process	target process
PID 4816 wrote to memory of 64	4816	Due Invoices for 2020.exe	schtasks.exe
PID 4816 wrote to memory of 64	4816	Due Invoices for 2020.exe	schtasks.exe
PID 4816 wrote to memory of 64	4816	Due Invoices for 2020.exe	schtasks.exe
PID 4816 wrote to memory of 680	4816	Due Invoices for 2020.exe	RegSvcs.exe
PID 4816 wrote to memory of 680	4816	Due Invoices for 2020.exe	RegSvcs.exe
PID 4816 wrote to memory of 680	4816	Due Invoices for 2020.exe	RegSvcs.exe
PID 4816 wrote to memory of 680	4816	Due Invoices for 2020.exe	RegSvcs.exe
PID 4816 wrote to memory of 680	4816	Due Invoices for 2020.exe	RegSvcs.exe
PID 4816 wrote to memory of 680	4816	Due Invoices for 2020.exe	RegSvcs.exe
PID 4816 wrote to memory of 680	4816	Due Invoices for 2020.exe	RegSvcs.exe
PID 4816 wrote to memory of 680	4816	Due Invoices for 2020.exe	RegSvcs.exe
PID 680 wrote to memory of 724	680	RegSvcs.exe	dw20.exe
PID 680 wrote to memory of 724	680	RegSvcs.exe	dw20.exe
PID 680 wrote to memory of 724	680	RegSvcs.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\Due Invoices for 2020.exe
"C:\Users\Admin\AppData\Local\Temp\Due Invoices for 2020.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4816

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PavFVDcpLRPN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF18A.tmp"
2⤵
- Creates scheduled task(s)
PID:64

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"{path}"
2⤵
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 692
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF18A.tmp
MD5
dfbd09ffb5cbf59403f615cad764eb66

SHA1
4a28daccae643c65ffcc5cb4e1a4e8c61f708dcb

SHA256
c8a95e2a08dd4e3b8f0a46bb426d1873f388b59328652e2e7162f6a2eddc79f2

SHA512
895109ac9aec03050dbb416b77badbdbe9703f625e0fbb61d35792b8993282c8e6ae08a0c455e693a6fcfa4564926f2469dac8fe1ead3fd534fd1973cc996d02

Download Submit
memory/64-3-0x0000000000000000-mapping.dmp

Download
memory/680-5-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/680-6-0x00000000004642CE-mapping.dmp

Download
memory/680-10-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/724-7-0x0000000000000000-mapping.dmp

Download
memory/724-8-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/724-9-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/4816-2-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads