Overview

overview

10

Static

static

file.exe

windows7_x64

10

file.exe

windows10_x64

10

Analysis

  • max time kernel
    55s
  • max time network
    104s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    29-01-2021 19:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    909KB

  • MD5

    819671a956dd62bcf8c63ad429cddccc

  • SHA1

    0e78e93d6b2492f90a8d47b500a8dd5662e121aa

  • SHA256

    57eeb22b59b51f2ebdc14d10502d7b6b7ce20a4c15df666a97d1ba89fb16c3d9

  • SHA512

    66bed3697982f46e3f1979dc4e3aea8edd77af49151203e2cd03263373974d1222555873e899405f228e7373ea7a98ee2c4f5187ccc8af41b863d845056c5ee1

Score
10/10
snakekeyloggerkeyloggerransomwarespywarestealer

Malware Config

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger Payload 2 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    ransomware
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4764
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LnGJZhvuhyjsi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp26C3.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:508
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      "C:\Users\Admin\AppData\Local\Temp\file.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log
    MD5

    90acfd72f14a512712b1a7380c0faf60

    SHA1

    40ba4accb8faa75887e84fb8e38d598dc8cf0f12

    SHA256

    20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86

    SHA512

    29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp26C3.tmp
    MD5

    af91ee5e7954432c9d12e03505bec931

    SHA1

    66f0482b85403194caca72bb7081cf3fbe0fdb60

    SHA256

    a3220e99922aa5ea5fdc70539dfe4b74f47d96bd1110930077f8752e8c9fa42f

    SHA512

    4d3b34c84d2405cccd9fb8040182945904d9e9eb822fb5dc47eef208829cf92492b4663adc0e04978f56ded3c72dac9e1ce2ec66a1e0501d42ef8f72fe3113ed

    Download Submit
  • memory/508-13-0x0000000000000000-mapping.dmp
    Download
  • memory/980-27-0x0000000006C60000-0x0000000006C61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/980-24-0x00000000053E0000-0x00000000053E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/980-23-0x00000000064E0000-0x00000000064E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/980-18-0x00000000732D0000-0x00000000739BE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/980-15-0x0000000000400000-0x000000000046A000-memory.dmp
    Filesize

    424KB

    Download
  • memory/980-16-0x000000000046471E-mapping.dmp
    Download
  • memory/4764-7-0x0000000004B10000-0x0000000004B11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4764-12-0x0000000005860000-0x000000000593D000-memory.dmp
    Filesize

    884KB

    Download
  • memory/4764-11-0x0000000004AF0000-0x0000000004AF3000-memory.dmp
    Filesize

    12KB

    Download
  • memory/4764-10-0x0000000004C70000-0x0000000004C71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4764-8-0x0000000004B00000-0x0000000004B01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4764-9-0x00000000049B0000-0x00000000049B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4764-2-0x00000000732D0000-0x00000000739BE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/4764-6-0x0000000004F70000-0x0000000004F71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4764-5-0x00000000049D0000-0x00000000049D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4764-3-0x00000000000C0000-0x00000000000C1000-memory.dmp
    Filesize

    4KB

    Download