Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
29-01-2021 16:36
Static task
static1
Behavioral task
behavioral1
Sample
PURCHASE ORDER.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
PURCHASE ORDER.exe
Resource
win10v20201028
General
-
Target
PURCHASE ORDER.exe
-
Size
576KB
-
MD5
38f6f05d0bff28a29420efaec6aeab43
-
SHA1
d9e05a92b6edc27a491fced696eb77a7295510ab
-
SHA256
4b6f46c5f5f309d1e5de63307f5e7eed976a56e864f854e53afa6bb1dc671faf
-
SHA512
f6a4c851d7e496bff2db898c9d5e3c3786f8f68960be963e1cd325ee3429124394e18ecfb4ab4de683ba66bd81618904f801cb591ca335b5755a41a3aaab0769
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1184-9-0x0000000000463E4E-mapping.dmp family_snakekeylogger behavioral1/memory/1184-8-0x0000000000400000-0x0000000000468000-memory.dmp family_snakekeylogger behavioral1/memory/1184-13-0x0000000000400000-0x0000000000468000-memory.dmp family_snakekeylogger -
Beds Protector Packer 1 IoCs
Detects Beds Protector packer used to load .NET malware.
Processes:
resource yara_rule behavioral1/memory/1728-5-0x0000000000AA0000-0x0000000000B2E000-memory.dmp beds_protector -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 freegeoip.app 12 freegeoip.app 6 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PURCHASE ORDER.exedescription pid process target process PID 1728 set thread context of 1184 1728 PURCHASE ORDER.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
RegAsm.exepid process 1184 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 1184 RegAsm.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
PURCHASE ORDER.exedescription pid process target process PID 1728 wrote to memory of 1184 1728 PURCHASE ORDER.exe RegAsm.exe PID 1728 wrote to memory of 1184 1728 PURCHASE ORDER.exe RegAsm.exe PID 1728 wrote to memory of 1184 1728 PURCHASE ORDER.exe RegAsm.exe PID 1728 wrote to memory of 1184 1728 PURCHASE ORDER.exe RegAsm.exe PID 1728 wrote to memory of 1184 1728 PURCHASE ORDER.exe RegAsm.exe PID 1728 wrote to memory of 1184 1728 PURCHASE ORDER.exe RegAsm.exe PID 1728 wrote to memory of 1184 1728 PURCHASE ORDER.exe RegAsm.exe PID 1728 wrote to memory of 1184 1728 PURCHASE ORDER.exe RegAsm.exe PID 1728 wrote to memory of 1184 1728 PURCHASE ORDER.exe RegAsm.exe PID 1728 wrote to memory of 1184 1728 PURCHASE ORDER.exe RegAsm.exe PID 1728 wrote to memory of 1184 1728 PURCHASE ORDER.exe RegAsm.exe PID 1728 wrote to memory of 1184 1728 PURCHASE ORDER.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1184-9-0x0000000000463E4E-mapping.dmp
-
memory/1184-8-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/1184-11-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB
-
memory/1184-12-0x0000000074120000-0x000000007480E000-memory.dmpFilesize
6.9MB
-
memory/1184-13-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/1184-15-0x0000000000880000-0x0000000000881000-memory.dmpFilesize
4KB
-
memory/1728-2-0x0000000074120000-0x000000007480E000-memory.dmpFilesize
6.9MB
-
memory/1728-3-0x0000000000B50000-0x0000000000B51000-memory.dmpFilesize
4KB
-
memory/1728-5-0x0000000000AA0000-0x0000000000B2E000-memory.dmpFilesize
568KB
-
memory/1728-6-0x0000000004A50000-0x0000000004A51000-memory.dmpFilesize
4KB
-
memory/1728-7-0x0000000000A10000-0x0000000000A1F000-memory.dmpFilesize
60KB
-
memory/1728-10-0x0000000004A55000-0x0000000004A66000-memory.dmpFilesize
68KB