Analysis
-
max time kernel
100s -
max time network
99s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-02-2021 06:24
Static task
static1
Behavioral task
behavioral1
Sample
PROFORMA INVOICE.scr
Resource
win7v20201028
Behavioral task
behavioral2
Sample
PROFORMA INVOICE.scr
Resource
win10v20201028
General
-
Target
PROFORMA INVOICE.scr
-
Size
22KB
-
MD5
4480e5c41df955746e6b762828e64ddb
-
SHA1
75fd2876572e72da98a99065152c338f935d722f
-
SHA256
98bba6280dc438b35e3d0a4f468d1e50dd44bdafdd3e8c396a6dacf6be50fd71
-
SHA512
92db76915c468ab2e3a1185b3ee5a0d8849bfb623e5bfdf0fa128a002b16e768097b9440c905a4cb38b70aee9b36c21ce2db57f150f93fc5845ff5f667957a41
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1352-29-0x0000000000400000-0x000000000046A000-memory.dmp family_snakekeylogger behavioral1/memory/1352-30-0x000000000046467E-mapping.dmp family_snakekeylogger behavioral1/memory/1352-32-0x0000000000400000-0x000000000046A000-memory.dmp family_snakekeylogger -
Nirsoft 7 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\8eacc7d0-c3e3-4ead-ad28-11b2f06761b3\AdvancedRun.exe Nirsoft \Users\Admin\AppData\Local\Temp\8eacc7d0-c3e3-4ead-ad28-11b2f06761b3\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\8eacc7d0-c3e3-4ead-ad28-11b2f06761b3\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\8eacc7d0-c3e3-4ead-ad28-11b2f06761b3\AdvancedRun.exe Nirsoft \Users\Admin\AppData\Local\Temp\8eacc7d0-c3e3-4ead-ad28-11b2f06761b3\AdvancedRun.exe Nirsoft \Users\Admin\AppData\Local\Temp\8eacc7d0-c3e3-4ead-ad28-11b2f06761b3\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\8eacc7d0-c3e3-4ead-ad28-11b2f06761b3\AdvancedRun.exe Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exepid process 1068 AdvancedRun.exe 1088 AdvancedRun.exe -
Loads dropped DLL 4 IoCs
Processes:
PROFORMA INVOICE.scrAdvancedRun.exepid process 1648 PROFORMA INVOICE.scr 1648 PROFORMA INVOICE.scr 1068 AdvancedRun.exe 1068 AdvancedRun.exe -
Processes:
PROFORMA INVOICE.scrdescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" PROFORMA INVOICE.scr Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features PROFORMA INVOICE.scr Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" PROFORMA INVOICE.scr Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths PROFORMA INVOICE.scr Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions PROFORMA INVOICE.scr Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.scr = "0" PROFORMA INVOICE.scr Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection PROFORMA INVOICE.scr Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" PROFORMA INVOICE.scr -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 freegeoip.app 9 checkip.dyndns.org 14 freegeoip.app -
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
Processes:
PROFORMA INVOICE.scrpid process 1648 PROFORMA INVOICE.scr 1648 PROFORMA INVOICE.scr 1648 PROFORMA INVOICE.scr 1648 PROFORMA INVOICE.scr 1648 PROFORMA INVOICE.scr 1648 PROFORMA INVOICE.scr 1648 PROFORMA INVOICE.scr 1648 PROFORMA INVOICE.scr 1648 PROFORMA INVOICE.scr 1648 PROFORMA INVOICE.scr 1648 PROFORMA INVOICE.scr -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PROFORMA INVOICE.scrdescription pid process target process PID 1648 set thread context of 1352 1648 PROFORMA INVOICE.scr regsvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1056 timeout.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exepowershell.exePROFORMA INVOICE.scrregsvcs.exepid process 1068 AdvancedRun.exe 1068 AdvancedRun.exe 1088 AdvancedRun.exe 1088 AdvancedRun.exe 440 powershell.exe 440 powershell.exe 1648 PROFORMA INVOICE.scr 1648 PROFORMA INVOICE.scr 1648 PROFORMA INVOICE.scr 1352 regsvcs.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
PROFORMA INVOICE.scrAdvancedRun.exeAdvancedRun.exepowershell.exeregsvcs.exedescription pid process Token: SeDebugPrivilege 1648 PROFORMA INVOICE.scr Token: SeDebugPrivilege 1068 AdvancedRun.exe Token: SeImpersonatePrivilege 1068 AdvancedRun.exe Token: SeDebugPrivilege 1088 AdvancedRun.exe Token: SeImpersonatePrivilege 1088 AdvancedRun.exe Token: SeDebugPrivilege 440 powershell.exe Token: SeDebugPrivilege 1352 regsvcs.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
PROFORMA INVOICE.scrAdvancedRun.execmd.exedescription pid process target process PID 1648 wrote to memory of 1068 1648 PROFORMA INVOICE.scr AdvancedRun.exe PID 1648 wrote to memory of 1068 1648 PROFORMA INVOICE.scr AdvancedRun.exe PID 1648 wrote to memory of 1068 1648 PROFORMA INVOICE.scr AdvancedRun.exe PID 1648 wrote to memory of 1068 1648 PROFORMA INVOICE.scr AdvancedRun.exe PID 1068 wrote to memory of 1088 1068 AdvancedRun.exe AdvancedRun.exe PID 1068 wrote to memory of 1088 1068 AdvancedRun.exe AdvancedRun.exe PID 1068 wrote to memory of 1088 1068 AdvancedRun.exe AdvancedRun.exe PID 1068 wrote to memory of 1088 1068 AdvancedRun.exe AdvancedRun.exe PID 1648 wrote to memory of 440 1648 PROFORMA INVOICE.scr powershell.exe PID 1648 wrote to memory of 440 1648 PROFORMA INVOICE.scr powershell.exe PID 1648 wrote to memory of 440 1648 PROFORMA INVOICE.scr powershell.exe PID 1648 wrote to memory of 440 1648 PROFORMA INVOICE.scr powershell.exe PID 1648 wrote to memory of 604 1648 PROFORMA INVOICE.scr cmd.exe PID 1648 wrote to memory of 604 1648 PROFORMA INVOICE.scr cmd.exe PID 1648 wrote to memory of 604 1648 PROFORMA INVOICE.scr cmd.exe PID 1648 wrote to memory of 604 1648 PROFORMA INVOICE.scr cmd.exe PID 604 wrote to memory of 1056 604 cmd.exe timeout.exe PID 604 wrote to memory of 1056 604 cmd.exe timeout.exe PID 604 wrote to memory of 1056 604 cmd.exe timeout.exe PID 604 wrote to memory of 1056 604 cmd.exe timeout.exe PID 1648 wrote to memory of 1352 1648 PROFORMA INVOICE.scr regsvcs.exe PID 1648 wrote to memory of 1352 1648 PROFORMA INVOICE.scr regsvcs.exe PID 1648 wrote to memory of 1352 1648 PROFORMA INVOICE.scr regsvcs.exe PID 1648 wrote to memory of 1352 1648 PROFORMA INVOICE.scr regsvcs.exe PID 1648 wrote to memory of 1352 1648 PROFORMA INVOICE.scr regsvcs.exe PID 1648 wrote to memory of 1352 1648 PROFORMA INVOICE.scr regsvcs.exe PID 1648 wrote to memory of 1352 1648 PROFORMA INVOICE.scr regsvcs.exe PID 1648 wrote to memory of 1352 1648 PROFORMA INVOICE.scr regsvcs.exe PID 1648 wrote to memory of 1352 1648 PROFORMA INVOICE.scr regsvcs.exe PID 1648 wrote to memory of 1352 1648 PROFORMA INVOICE.scr regsvcs.exe PID 1648 wrote to memory of 1352 1648 PROFORMA INVOICE.scr regsvcs.exe PID 1648 wrote to memory of 1352 1648 PROFORMA INVOICE.scr regsvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.scr"C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.scr" /S1⤵
- Loads dropped DLL
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\8eacc7d0-c3e3-4ead-ad28-11b2f06761b3\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\8eacc7d0-c3e3-4ead-ad28-11b2f06761b3\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\8eacc7d0-c3e3-4ead-ad28-11b2f06761b3\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Users\Admin\AppData\Local\Temp\8eacc7d0-c3e3-4ead-ad28-11b2f06761b3\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\8eacc7d0-c3e3-4ead-ad28-11b2f06761b3\AdvancedRun.exe" /SpecialRun 4101d8 10683⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1088 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.scr" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:440 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1056 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1352
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\8eacc7d0-c3e3-4ead-ad28-11b2f06761b3\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\8eacc7d0-c3e3-4ead-ad28-11b2f06761b3\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\8eacc7d0-c3e3-4ead-ad28-11b2f06761b3\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\8eacc7d0-c3e3-4ead-ad28-11b2f06761b3\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\8eacc7d0-c3e3-4ead-ad28-11b2f06761b3\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\8eacc7d0-c3e3-4ead-ad28-11b2f06761b3\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\8eacc7d0-c3e3-4ead-ad28-11b2f06761b3\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
memory/440-42-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/440-21-0x0000000074000000-0x00000000746EE000-memory.dmpFilesize
6.9MB
-
memory/440-51-0x0000000006280000-0x0000000006281000-memory.dmpFilesize
4KB
-
memory/440-52-0x00000000061E0000-0x00000000061E1000-memory.dmpFilesize
4KB
-
memory/440-66-0x0000000006300000-0x0000000006301000-memory.dmpFilesize
4KB
-
memory/440-36-0x0000000006020000-0x0000000006021000-memory.dmpFilesize
4KB
-
memory/440-67-0x0000000006310000-0x0000000006311000-memory.dmpFilesize
4KB
-
memory/440-18-0x0000000000000000-mapping.dmp
-
memory/440-28-0x00000000052C0000-0x00000000052C1000-memory.dmpFilesize
4KB
-
memory/440-44-0x0000000006140000-0x0000000006141000-memory.dmpFilesize
4KB
-
memory/440-22-0x0000000002410000-0x0000000002411000-memory.dmpFilesize
4KB
-
memory/440-41-0x0000000006080000-0x0000000006081000-memory.dmpFilesize
4KB
-
memory/440-24-0x00000000049A0000-0x00000000049A1000-memory.dmpFilesize
4KB
-
memory/440-25-0x0000000004960000-0x0000000004961000-memory.dmpFilesize
4KB
-
memory/440-26-0x0000000004962000-0x0000000004963000-memory.dmpFilesize
4KB
-
memory/440-27-0x0000000004780000-0x0000000004781000-memory.dmpFilesize
4KB
-
memory/604-20-0x0000000000000000-mapping.dmp
-
memory/1056-23-0x0000000000000000-mapping.dmp
-
memory/1068-11-0x0000000074D11000-0x0000000074D13000-memory.dmpFilesize
8KB
-
memory/1068-9-0x0000000000000000-mapping.dmp
-
memory/1088-15-0x0000000000000000-mapping.dmp
-
memory/1352-30-0x000000000046467E-mapping.dmp
-
memory/1352-31-0x0000000074000000-0x00000000746EE000-memory.dmpFilesize
6.9MB
-
memory/1352-32-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1352-29-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1352-43-0x0000000004BF0000-0x0000000004BF1000-memory.dmpFilesize
4KB
-
memory/1648-2-0x0000000074000000-0x00000000746EE000-memory.dmpFilesize
6.9MB
-
memory/1648-6-0x0000000004C00000-0x0000000004CDB000-memory.dmpFilesize
876KB
-
memory/1648-5-0x0000000004D80000-0x0000000004D81000-memory.dmpFilesize
4KB
-
memory/1648-3-0x0000000000850000-0x0000000000851000-memory.dmpFilesize
4KB