Analysis
-
max time kernel
55s -
max time network
104s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
29-01-2021 19:31
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v20201028
General
-
Target
file.exe
-
Size
909KB
-
MD5
819671a956dd62bcf8c63ad429cddccc
-
SHA1
0e78e93d6b2492f90a8d47b500a8dd5662e121aa
-
SHA256
57eeb22b59b51f2ebdc14d10502d7b6b7ce20a4c15df666a97d1ba89fb16c3d9
-
SHA512
66bed3697982f46e3f1979dc4e3aea8edd77af49151203e2cd03263373974d1222555873e899405f228e7373ea7a98ee2c4f5187ccc8af41b863d845056c5ee1
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/980-16-0x000000000046471E-mapping.dmp family_snakekeylogger behavioral2/memory/980-15-0x0000000000400000-0x000000000046A000-memory.dmp family_snakekeylogger -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 checkip.dyndns.org 18 freegeoip.app 19 freegeoip.app -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 4764 set thread context of 980 4764 file.exe file.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
file.exefile.exepid process 4764 file.exe 980 file.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
file.exefile.exedescription pid process Token: SeDebugPrivilege 4764 file.exe Token: SeDebugPrivilege 980 file.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
file.exepid process 980 file.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
file.exedescription pid process target process PID 4764 wrote to memory of 508 4764 file.exe schtasks.exe PID 4764 wrote to memory of 508 4764 file.exe schtasks.exe PID 4764 wrote to memory of 508 4764 file.exe schtasks.exe PID 4764 wrote to memory of 980 4764 file.exe file.exe PID 4764 wrote to memory of 980 4764 file.exe file.exe PID 4764 wrote to memory of 980 4764 file.exe file.exe PID 4764 wrote to memory of 980 4764 file.exe file.exe PID 4764 wrote to memory of 980 4764 file.exe file.exe PID 4764 wrote to memory of 980 4764 file.exe file.exe PID 4764 wrote to memory of 980 4764 file.exe file.exe PID 4764 wrote to memory of 980 4764 file.exe file.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LnGJZhvuhyjsi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp26C3.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logMD5
90acfd72f14a512712b1a7380c0faf60
SHA140ba4accb8faa75887e84fb8e38d598dc8cf0f12
SHA25620806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86
SHA51229dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9
-
C:\Users\Admin\AppData\Local\Temp\tmp26C3.tmpMD5
af91ee5e7954432c9d12e03505bec931
SHA166f0482b85403194caca72bb7081cf3fbe0fdb60
SHA256a3220e99922aa5ea5fdc70539dfe4b74f47d96bd1110930077f8752e8c9fa42f
SHA5124d3b34c84d2405cccd9fb8040182945904d9e9eb822fb5dc47eef208829cf92492b4663adc0e04978f56ded3c72dac9e1ce2ec66a1e0501d42ef8f72fe3113ed
-
memory/508-13-0x0000000000000000-mapping.dmp
-
memory/980-27-0x0000000006C60000-0x0000000006C61000-memory.dmpFilesize
4KB
-
memory/980-24-0x00000000053E0000-0x00000000053E1000-memory.dmpFilesize
4KB
-
memory/980-23-0x00000000064E0000-0x00000000064E1000-memory.dmpFilesize
4KB
-
memory/980-18-0x00000000732D0000-0x00000000739BE000-memory.dmpFilesize
6.9MB
-
memory/980-15-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/980-16-0x000000000046471E-mapping.dmp
-
memory/4764-7-0x0000000004B10000-0x0000000004B11000-memory.dmpFilesize
4KB
-
memory/4764-12-0x0000000005860000-0x000000000593D000-memory.dmpFilesize
884KB
-
memory/4764-11-0x0000000004AF0000-0x0000000004AF3000-memory.dmpFilesize
12KB
-
memory/4764-10-0x0000000004C70000-0x0000000004C71000-memory.dmpFilesize
4KB
-
memory/4764-8-0x0000000004B00000-0x0000000004B01000-memory.dmpFilesize
4KB
-
memory/4764-9-0x00000000049B0000-0x00000000049B1000-memory.dmpFilesize
4KB
-
memory/4764-2-0x00000000732D0000-0x00000000739BE000-memory.dmpFilesize
6.9MB
-
memory/4764-6-0x0000000004F70000-0x0000000004F71000-memory.dmpFilesize
4KB
-
memory/4764-5-0x00000000049D0000-0x00000000049D1000-memory.dmpFilesize
4KB
-
memory/4764-3-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB