Analysis
-
max time kernel
131s -
max time network
131s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
31-01-2021 07:45
Static task
static1
Behavioral task
behavioral1
Sample
my new file ify (1).exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
my new file ify (1).exe
Resource
win10v20201028
General
-
Target
my new file ify (1).exe
-
Size
2.7MB
-
MD5
e67ac6aaee51c36fd8b66b4fda8e86e0
-
SHA1
8848d903ecacf5614fdfcde030011c1d1f8ff91e
-
SHA256
3ff622e45db0ffbc2ebcc3042cb518a827c9954a6c6c05a936957252104fd2de
-
SHA512
c8ce9379288be20340a48549f78b933b819085e9b8d71630c3f1d60e7e8a9555d7f737974bfe7bd5869f7788b4e256326f8b934c57aebf61bac368aa1e63f542
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
my new file ify (1).exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\my new file ify (1).exe\"" my new file ify (1).exe -
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3392-8-0x0000000000400000-0x000000000046A000-memory.dmp family_snakekeylogger behavioral2/memory/3392-9-0x000000000046573E-mapping.dmp family_snakekeylogger -
Drops startup file 2 IoCs
Processes:
my new file ify (1).exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\my new file ify (1).exe my new file ify (1).exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\my new file ify (1).exe my new file ify (1).exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
my new file ify (1).exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\my new file ify (1).exe" my new file ify (1).exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\my new file ify (1).exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\my new file ify (1).exe" my new file ify (1).exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 checkip.dyndns.org 19 freegeoip.app 20 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
my new file ify (1).exedescription pid process target process PID 1628 set thread context of 3392 1628 my new file ify (1).exe my new file ify (1).exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
my new file ify (1).exepid process 3392 my new file ify (1).exe 3392 my new file ify (1).exe 3392 my new file ify (1).exe 3392 my new file ify (1).exe 3392 my new file ify (1).exe 3392 my new file ify (1).exe 3392 my new file ify (1).exe 3392 my new file ify (1).exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
my new file ify (1).exemy new file ify (1).exedescription pid process Token: SeDebugPrivilege 1628 my new file ify (1).exe Token: SeDebugPrivilege 3392 my new file ify (1).exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
my new file ify (1).exedescription pid process target process PID 1628 wrote to memory of 3392 1628 my new file ify (1).exe my new file ify (1).exe PID 1628 wrote to memory of 3392 1628 my new file ify (1).exe my new file ify (1).exe PID 1628 wrote to memory of 3392 1628 my new file ify (1).exe my new file ify (1).exe PID 1628 wrote to memory of 3392 1628 my new file ify (1).exe my new file ify (1).exe PID 1628 wrote to memory of 3392 1628 my new file ify (1).exe my new file ify (1).exe PID 1628 wrote to memory of 3392 1628 my new file ify (1).exe my new file ify (1).exe PID 1628 wrote to memory of 3392 1628 my new file ify (1).exe my new file ify (1).exe PID 1628 wrote to memory of 3392 1628 my new file ify (1).exe my new file ify (1).exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\my new file ify (1).exe"C:\Users\Admin\AppData\Local\Temp\my new file ify (1).exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\my new file ify (1).exe"C:\Users\Admin\AppData\Local\Temp\my new file ify (1).exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1628-2-0x0000000073840000-0x0000000073F2E000-memory.dmpFilesize
6.9MB
-
memory/1628-3-0x0000000000F50000-0x0000000000F51000-memory.dmpFilesize
4KB
-
memory/1628-4-0x00000000059D0000-0x00000000059D1000-memory.dmpFilesize
4KB
-
memory/1628-5-0x0000000005B70000-0x0000000005B71000-memory.dmpFilesize
4KB
-
memory/1628-6-0x0000000005450000-0x00000000054D7000-memory.dmpFilesize
540KB
-
memory/1628-7-0x0000000008DD0000-0x0000000008DD1000-memory.dmpFilesize
4KB
-
memory/3392-8-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/3392-9-0x000000000046573E-mapping.dmp
-
memory/3392-10-0x0000000073840000-0x0000000073F2E000-memory.dmpFilesize
6.9MB
-
memory/3392-15-0x0000000002E50000-0x0000000002E51000-memory.dmpFilesize
4KB
-
memory/3392-16-0x0000000006690000-0x0000000006691000-memory.dmpFilesize
4KB
-
memory/3392-17-0x0000000006860000-0x0000000006861000-memory.dmpFilesize
4KB
-
memory/3392-18-0x0000000006930000-0x0000000006931000-memory.dmpFilesize
4KB