Analysis
-
max time kernel
37s -
max time network
103s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
27-01-2021 14:28
Static task
static1
Behavioral task
behavioral1
Sample
Due Invoices for 2020.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Due Invoices for 2020.exe
Resource
win10v20201028
General
-
Target
Due Invoices for 2020.exe
-
Size
739KB
-
MD5
e93485dbb2ff29e594629293f850914f
-
SHA1
2c79c97cbf9fcb3e1859f4d89b1d0c8e26e03822
-
SHA256
0b32f0d8ef0ef999d370afa5a8d00a176c5335ccc69ea4370a20df9ee14616ef
-
SHA512
3b040a07bce553390de45342a711449771e65b25e6d7acf55daf01134b9b2e0fcc56dd5f9621dc422f8b5a1096fc45c71540610fd761ec32bedf0b5f710d3b15
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/680-5-0x0000000000400000-0x000000000046A000-memory.dmp family_snakekeylogger behavioral2/memory/680-6-0x00000000004642CE-mapping.dmp family_snakekeylogger -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Due Invoices for 2020.exedescription pid process target process PID 4816 set thread context of 680 4816 Due Invoices for 2020.exe RegSvcs.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Due Invoices for 2020.exedw20.exepid process 4816 Due Invoices for 2020.exe 724 dw20.exe 724 dw20.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Due Invoices for 2020.exedw20.exedescription pid process Token: SeDebugPrivilege 4816 Due Invoices for 2020.exe Token: SeRestorePrivilege 724 dw20.exe Token: SeBackupPrivilege 724 dw20.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Due Invoices for 2020.exeRegSvcs.exedescription pid process target process PID 4816 wrote to memory of 64 4816 Due Invoices for 2020.exe schtasks.exe PID 4816 wrote to memory of 64 4816 Due Invoices for 2020.exe schtasks.exe PID 4816 wrote to memory of 64 4816 Due Invoices for 2020.exe schtasks.exe PID 4816 wrote to memory of 680 4816 Due Invoices for 2020.exe RegSvcs.exe PID 4816 wrote to memory of 680 4816 Due Invoices for 2020.exe RegSvcs.exe PID 4816 wrote to memory of 680 4816 Due Invoices for 2020.exe RegSvcs.exe PID 4816 wrote to memory of 680 4816 Due Invoices for 2020.exe RegSvcs.exe PID 4816 wrote to memory of 680 4816 Due Invoices for 2020.exe RegSvcs.exe PID 4816 wrote to memory of 680 4816 Due Invoices for 2020.exe RegSvcs.exe PID 4816 wrote to memory of 680 4816 Due Invoices for 2020.exe RegSvcs.exe PID 4816 wrote to memory of 680 4816 Due Invoices for 2020.exe RegSvcs.exe PID 680 wrote to memory of 724 680 RegSvcs.exe dw20.exe PID 680 wrote to memory of 724 680 RegSvcs.exe dw20.exe PID 680 wrote to memory of 724 680 RegSvcs.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Due Invoices for 2020.exe"C:\Users\Admin\AppData\Local\Temp\Due Invoices for 2020.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PavFVDcpLRPN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF18A.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 6923⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpF18A.tmpMD5
dfbd09ffb5cbf59403f615cad764eb66
SHA14a28daccae643c65ffcc5cb4e1a4e8c61f708dcb
SHA256c8a95e2a08dd4e3b8f0a46bb426d1873f388b59328652e2e7162f6a2eddc79f2
SHA512895109ac9aec03050dbb416b77badbdbe9703f625e0fbb61d35792b8993282c8e6ae08a0c455e693a6fcfa4564926f2469dac8fe1ead3fd534fd1973cc996d02
-
memory/64-3-0x0000000000000000-mapping.dmp
-
memory/680-5-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/680-6-0x00000000004642CE-mapping.dmp
-
memory/680-10-0x0000000000DC0000-0x0000000000DC1000-memory.dmpFilesize
4KB
-
memory/724-7-0x0000000000000000-mapping.dmp
-
memory/724-8-0x0000000002510000-0x0000000002511000-memory.dmpFilesize
4KB
-
memory/724-9-0x0000000002A00000-0x0000000002A01000-memory.dmpFilesize
4KB
-
memory/4816-2-0x00000000011D0000-0x00000000011D1000-memory.dmpFilesize
4KB