Analysis
-
max time kernel
141s -
max time network
141s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-02-2021 06:24
General
-
Target
PROFORMA INVOICE.scr
-
Size
22KB
-
MD5
4480e5c41df955746e6b762828e64ddb
-
SHA1
75fd2876572e72da98a99065152c338f935d722f
-
SHA256
98bba6280dc438b35e3d0a4f468d1e50dd44bdafdd3e8c396a6dacf6be50fd71
-
SHA512
92db76915c468ab2e3a1185b3ee5a0d8849bfb623e5bfdf0fa128a002b16e768097b9440c905a4cb38b70aee9b36c21ce2db57f150f93fc5845ff5f667957a41
Score
10/10
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 2 IoCs
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Windows security bypass 2 TTPs
-
Nirsoft 3 IoCs
-
Executes dropped EXE 2 IoCs
-
Windows security modification 2 TTPs 10 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.scr"C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.scr" /S1⤵
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4c3a78e0-f87b-4e29-9692-71efd833cafa\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\4c3a78e0-f87b-4e29-9692-71efd833cafa\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\4c3a78e0-f87b-4e29-9692-71efd833cafa\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4c3a78e0-f87b-4e29-9692-71efd833cafa\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\4c3a78e0-f87b-4e29-9692-71efd833cafa\AdvancedRun.exe" /SpecialRun 4101d8 35563⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.scr" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 16682⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4c3a78e0-f87b-4e29-9692-71efd833cafa\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\4c3a78e0-f87b-4e29-9692-71efd833cafa\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\4c3a78e0-f87b-4e29-9692-71efd833cafa\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
memory/1208-15-0x0000000000000000-mapping.dmp
-
memory/2348-19-0x0000000000000000-mapping.dmp
-
memory/2616-33-0x0000000004E00000-0x0000000004E01000-memory.dmpFilesize
4KB
-
memory/3156-37-0x0000000007D80000-0x0000000007D81000-memory.dmpFilesize
4KB
-
memory/3156-20-0x0000000004410000-0x0000000004411000-memory.dmpFilesize
4KB
-
memory/3156-56-0x0000000008FA0000-0x0000000008FA1000-memory.dmpFilesize
4KB
-
memory/3156-54-0x0000000008FB0000-0x0000000008FB1000-memory.dmpFilesize
4KB
-
memory/3156-35-0x0000000007AB0000-0x0000000007AB1000-memory.dmpFilesize
4KB
-
memory/3156-14-0x0000000000000000-mapping.dmp
-
memory/3156-53-0x0000000004413000-0x0000000004414000-memory.dmpFilesize
4KB
-
memory/3156-16-0x0000000073E00000-0x00000000744EE000-memory.dmpFilesize
6.9MB
-
memory/3156-17-0x0000000004240000-0x0000000004241000-memory.dmpFilesize
4KB
-
memory/3156-34-0x0000000007480000-0x0000000007481000-memory.dmpFilesize
4KB
-
memory/3156-18-0x0000000006DA0000-0x0000000006DA1000-memory.dmpFilesize
4KB
-
memory/3156-42-0x0000000008AF0000-0x0000000008B23000-memory.dmpFilesize
204KB
-
memory/3156-21-0x0000000004412000-0x0000000004413000-memory.dmpFilesize
4KB
-
memory/3156-22-0x0000000006CA0000-0x0000000006CA1000-memory.dmpFilesize
4KB
-
memory/3156-23-0x00000000075B0000-0x00000000075B1000-memory.dmpFilesize
4KB
-
memory/3156-52-0x0000000009010000-0x0000000009011000-memory.dmpFilesize
4KB
-
memory/3156-51-0x0000000008CC0000-0x0000000008CC1000-memory.dmpFilesize
4KB
-
memory/3156-25-0x00000000073D0000-0x00000000073D1000-memory.dmpFilesize
4KB
-
memory/3156-28-0x0000000007620000-0x0000000007621000-memory.dmpFilesize
4KB
-
memory/3156-50-0x000000007E240000-0x000000007E241000-memory.dmpFilesize
4KB
-
memory/3156-49-0x0000000008AD0000-0x0000000008AD1000-memory.dmpFilesize
4KB
-
memory/3544-12-0x0000000000000000-mapping.dmp
-
memory/3556-9-0x0000000000000000-mapping.dmp
-
memory/3980-5-0x00000000058B0000-0x00000000058B1000-memory.dmpFilesize
4KB
-
memory/3980-2-0x0000000073E00000-0x00000000744EE000-memory.dmpFilesize
6.9MB
-
memory/3980-3-0x0000000000F80000-0x0000000000F81000-memory.dmpFilesize
4KB
-
memory/3980-6-0x0000000008470000-0x0000000008471000-memory.dmpFilesize
4KB
-
memory/3980-7-0x0000000005F80000-0x000000000605B000-memory.dmpFilesize
876KB
-
memory/3980-8-0x000000000AA10000-0x000000000AA11000-memory.dmpFilesize
4KB
-
memory/4016-38-0x0000000005FF0000-0x0000000005FF1000-memory.dmpFilesize
4KB
-
memory/4016-39-0x00000000061C0000-0x00000000061C1000-memory.dmpFilesize
4KB
-
memory/4016-40-0x0000000006290000-0x0000000006291000-memory.dmpFilesize
4KB
-
memory/4016-36-0x00000000051C0000-0x00000000051C1000-memory.dmpFilesize
4KB
-
memory/4016-27-0x0000000073E00000-0x00000000744EE000-memory.dmpFilesize
6.9MB
-
memory/4016-26-0x000000000046467E-mapping.dmp
-
memory/4016-24-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB