Analysis
-
max time kernel
141s -
max time network
141s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-02-2021 06:24
Static task
static1
Behavioral task
behavioral1
Sample
PROFORMA INVOICE.scr
Resource
win7v20201028
Behavioral task
behavioral2
Sample
PROFORMA INVOICE.scr
Resource
win10v20201028
General
-
Target
PROFORMA INVOICE.scr
-
Size
22KB
-
MD5
4480e5c41df955746e6b762828e64ddb
-
SHA1
75fd2876572e72da98a99065152c338f935d722f
-
SHA256
98bba6280dc438b35e3d0a4f468d1e50dd44bdafdd3e8c396a6dacf6be50fd71
-
SHA512
92db76915c468ab2e3a1185b3ee5a0d8849bfb623e5bfdf0fa128a002b16e768097b9440c905a4cb38b70aee9b36c21ce2db57f150f93fc5845ff5f667957a41
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4016-24-0x0000000000400000-0x000000000046A000-memory.dmp family_snakekeylogger behavioral2/memory/4016-26-0x000000000046467E-mapping.dmp family_snakekeylogger -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Nirsoft 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\4c3a78e0-f87b-4e29-9692-71efd833cafa\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\4c3a78e0-f87b-4e29-9692-71efd833cafa\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\4c3a78e0-f87b-4e29-9692-71efd833cafa\AdvancedRun.exe Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exepid process 3556 AdvancedRun.exe 3544 AdvancedRun.exe -
Processes:
PROFORMA INVOICE.scrdescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" PROFORMA INVOICE.scr Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" PROFORMA INVOICE.scr Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features PROFORMA INVOICE.scr Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" PROFORMA INVOICE.scr Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths PROFORMA INVOICE.scr Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions PROFORMA INVOICE.scr Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection PROFORMA INVOICE.scr Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.scr = "0" PROFORMA INVOICE.scr Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" PROFORMA INVOICE.scr Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet PROFORMA INVOICE.scr -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 24 checkip.dyndns.org 27 freegeoip.app 28 freegeoip.app -
Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
Processes:
PROFORMA INVOICE.scrpid process 3980 PROFORMA INVOICE.scr 3980 PROFORMA INVOICE.scr 3980 PROFORMA INVOICE.scr 3980 PROFORMA INVOICE.scr 3980 PROFORMA INVOICE.scr 3980 PROFORMA INVOICE.scr 3980 PROFORMA INVOICE.scr 3980 PROFORMA INVOICE.scr 3980 PROFORMA INVOICE.scr 3980 PROFORMA INVOICE.scr 3980 PROFORMA INVOICE.scr 3980 PROFORMA INVOICE.scr 3980 PROFORMA INVOICE.scr 3980 PROFORMA INVOICE.scr -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PROFORMA INVOICE.scrdescription pid process target process PID 3980 set thread context of 4016 3980 PROFORMA INVOICE.scr regsvcs.exe -
Drops file in Windows directory 1 IoCs
Processes:
WerFault.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2616 3980 WerFault.exe PROFORMA INVOICE.scr -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2348 timeout.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exepowershell.exePROFORMA INVOICE.scrregsvcs.exeWerFault.exepid process 3556 AdvancedRun.exe 3556 AdvancedRun.exe 3556 AdvancedRun.exe 3556 AdvancedRun.exe 3544 AdvancedRun.exe 3544 AdvancedRun.exe 3544 AdvancedRun.exe 3544 AdvancedRun.exe 3156 powershell.exe 3980 PROFORMA INVOICE.scr 3980 PROFORMA INVOICE.scr 3980 PROFORMA INVOICE.scr 4016 regsvcs.exe 3156 powershell.exe 2616 WerFault.exe 2616 WerFault.exe 2616 WerFault.exe 2616 WerFault.exe 2616 WerFault.exe 2616 WerFault.exe 2616 WerFault.exe 2616 WerFault.exe 2616 WerFault.exe 2616 WerFault.exe 2616 WerFault.exe 2616 WerFault.exe 2616 WerFault.exe 2616 WerFault.exe 3156 powershell.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
PROFORMA INVOICE.scrAdvancedRun.exeAdvancedRun.exepowershell.exeregsvcs.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3980 PROFORMA INVOICE.scr Token: SeDebugPrivilege 3556 AdvancedRun.exe Token: SeImpersonatePrivilege 3556 AdvancedRun.exe Token: SeDebugPrivilege 3544 AdvancedRun.exe Token: SeImpersonatePrivilege 3544 AdvancedRun.exe Token: SeDebugPrivilege 3156 powershell.exe Token: SeDebugPrivilege 4016 regsvcs.exe Token: SeRestorePrivilege 2616 WerFault.exe Token: SeBackupPrivilege 2616 WerFault.exe Token: SeBackupPrivilege 2616 WerFault.exe Token: SeDebugPrivilege 2616 WerFault.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
PROFORMA INVOICE.scrAdvancedRun.execmd.exedescription pid process target process PID 3980 wrote to memory of 3556 3980 PROFORMA INVOICE.scr AdvancedRun.exe PID 3980 wrote to memory of 3556 3980 PROFORMA INVOICE.scr AdvancedRun.exe PID 3980 wrote to memory of 3556 3980 PROFORMA INVOICE.scr AdvancedRun.exe PID 3556 wrote to memory of 3544 3556 AdvancedRun.exe AdvancedRun.exe PID 3556 wrote to memory of 3544 3556 AdvancedRun.exe AdvancedRun.exe PID 3556 wrote to memory of 3544 3556 AdvancedRun.exe AdvancedRun.exe PID 3980 wrote to memory of 3156 3980 PROFORMA INVOICE.scr powershell.exe PID 3980 wrote to memory of 3156 3980 PROFORMA INVOICE.scr powershell.exe PID 3980 wrote to memory of 3156 3980 PROFORMA INVOICE.scr powershell.exe PID 3980 wrote to memory of 1208 3980 PROFORMA INVOICE.scr cmd.exe PID 3980 wrote to memory of 1208 3980 PROFORMA INVOICE.scr cmd.exe PID 3980 wrote to memory of 1208 3980 PROFORMA INVOICE.scr cmd.exe PID 1208 wrote to memory of 2348 1208 cmd.exe timeout.exe PID 1208 wrote to memory of 2348 1208 cmd.exe timeout.exe PID 1208 wrote to memory of 2348 1208 cmd.exe timeout.exe PID 3980 wrote to memory of 4016 3980 PROFORMA INVOICE.scr regsvcs.exe PID 3980 wrote to memory of 4016 3980 PROFORMA INVOICE.scr regsvcs.exe PID 3980 wrote to memory of 4016 3980 PROFORMA INVOICE.scr regsvcs.exe PID 3980 wrote to memory of 4016 3980 PROFORMA INVOICE.scr regsvcs.exe PID 3980 wrote to memory of 4016 3980 PROFORMA INVOICE.scr regsvcs.exe PID 3980 wrote to memory of 4016 3980 PROFORMA INVOICE.scr regsvcs.exe PID 3980 wrote to memory of 4016 3980 PROFORMA INVOICE.scr regsvcs.exe PID 3980 wrote to memory of 4016 3980 PROFORMA INVOICE.scr regsvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.scr"C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.scr" /S1⤵
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4c3a78e0-f87b-4e29-9692-71efd833cafa\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\4c3a78e0-f87b-4e29-9692-71efd833cafa\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\4c3a78e0-f87b-4e29-9692-71efd833cafa\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4c3a78e0-f87b-4e29-9692-71efd833cafa\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\4c3a78e0-f87b-4e29-9692-71efd833cafa\AdvancedRun.exe" /SpecialRun 4101d8 35563⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.scr" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 16682⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4c3a78e0-f87b-4e29-9692-71efd833cafa\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\4c3a78e0-f87b-4e29-9692-71efd833cafa\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\4c3a78e0-f87b-4e29-9692-71efd833cafa\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
memory/1208-15-0x0000000000000000-mapping.dmp
-
memory/2348-19-0x0000000000000000-mapping.dmp
-
memory/2616-33-0x0000000004E00000-0x0000000004E01000-memory.dmpFilesize
4KB
-
memory/3156-37-0x0000000007D80000-0x0000000007D81000-memory.dmpFilesize
4KB
-
memory/3156-20-0x0000000004410000-0x0000000004411000-memory.dmpFilesize
4KB
-
memory/3156-56-0x0000000008FA0000-0x0000000008FA1000-memory.dmpFilesize
4KB
-
memory/3156-54-0x0000000008FB0000-0x0000000008FB1000-memory.dmpFilesize
4KB
-
memory/3156-35-0x0000000007AB0000-0x0000000007AB1000-memory.dmpFilesize
4KB
-
memory/3156-14-0x0000000000000000-mapping.dmp
-
memory/3156-53-0x0000000004413000-0x0000000004414000-memory.dmpFilesize
4KB
-
memory/3156-16-0x0000000073E00000-0x00000000744EE000-memory.dmpFilesize
6.9MB
-
memory/3156-17-0x0000000004240000-0x0000000004241000-memory.dmpFilesize
4KB
-
memory/3156-34-0x0000000007480000-0x0000000007481000-memory.dmpFilesize
4KB
-
memory/3156-18-0x0000000006DA0000-0x0000000006DA1000-memory.dmpFilesize
4KB
-
memory/3156-42-0x0000000008AF0000-0x0000000008B23000-memory.dmpFilesize
204KB
-
memory/3156-21-0x0000000004412000-0x0000000004413000-memory.dmpFilesize
4KB
-
memory/3156-22-0x0000000006CA0000-0x0000000006CA1000-memory.dmpFilesize
4KB
-
memory/3156-23-0x00000000075B0000-0x00000000075B1000-memory.dmpFilesize
4KB
-
memory/3156-52-0x0000000009010000-0x0000000009011000-memory.dmpFilesize
4KB
-
memory/3156-51-0x0000000008CC0000-0x0000000008CC1000-memory.dmpFilesize
4KB
-
memory/3156-25-0x00000000073D0000-0x00000000073D1000-memory.dmpFilesize
4KB
-
memory/3156-28-0x0000000007620000-0x0000000007621000-memory.dmpFilesize
4KB
-
memory/3156-50-0x000000007E240000-0x000000007E241000-memory.dmpFilesize
4KB
-
memory/3156-49-0x0000000008AD0000-0x0000000008AD1000-memory.dmpFilesize
4KB
-
memory/3544-12-0x0000000000000000-mapping.dmp
-
memory/3556-9-0x0000000000000000-mapping.dmp
-
memory/3980-5-0x00000000058B0000-0x00000000058B1000-memory.dmpFilesize
4KB
-
memory/3980-2-0x0000000073E00000-0x00000000744EE000-memory.dmpFilesize
6.9MB
-
memory/3980-3-0x0000000000F80000-0x0000000000F81000-memory.dmpFilesize
4KB
-
memory/3980-6-0x0000000008470000-0x0000000008471000-memory.dmpFilesize
4KB
-
memory/3980-7-0x0000000005F80000-0x000000000605B000-memory.dmpFilesize
876KB
-
memory/3980-8-0x000000000AA10000-0x000000000AA11000-memory.dmpFilesize
4KB
-
memory/4016-38-0x0000000005FF0000-0x0000000005FF1000-memory.dmpFilesize
4KB
-
memory/4016-39-0x00000000061C0000-0x00000000061C1000-memory.dmpFilesize
4KB
-
memory/4016-40-0x0000000006290000-0x0000000006291000-memory.dmpFilesize
4KB
-
memory/4016-36-0x00000000051C0000-0x00000000051C1000-memory.dmpFilesize
4KB
-
memory/4016-27-0x0000000073E00000-0x00000000744EE000-memory.dmpFilesize
6.9MB
-
memory/4016-26-0x000000000046467E-mapping.dmp
-
memory/4016-24-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB