Analysis
-
max time kernel
134s -
max time network
133s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-02-2021 07:13
General
-
Target
PROFORMA INVOICE.scr
-
Size
22KB
-
MD5
4480e5c41df955746e6b762828e64ddb
-
SHA1
75fd2876572e72da98a99065152c338f935d722f
-
SHA256
98bba6280dc438b35e3d0a4f468d1e50dd44bdafdd3e8c396a6dacf6be50fd71
-
SHA512
92db76915c468ab2e3a1185b3ee5a0d8849bfb623e5bfdf0fa128a002b16e768097b9440c905a4cb38b70aee9b36c21ce2db57f150f93fc5845ff5f667957a41
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 3 IoCs
-
Windows security bypass 2 TTPs
-
Nirsoft 7 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 4 IoCs
-
Windows security modification 2 TTPs 8 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.scr"C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.scr" /S1⤵
- Loads dropped DLL
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5d455455-203e-4596-9dc3-d1a3701e071e\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\5d455455-203e-4596-9dc3-d1a3701e071e\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\5d455455-203e-4596-9dc3-d1a3701e071e\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5d455455-203e-4596-9dc3-d1a3701e071e\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\5d455455-203e-4596-9dc3-d1a3701e071e\AdvancedRun.exe" /SpecialRun 4101d8 16243⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.scr" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 14402⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5d455455-203e-4596-9dc3-d1a3701e071e\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\5d455455-203e-4596-9dc3-d1a3701e071e\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\5d455455-203e-4596-9dc3-d1a3701e071e\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\5d455455-203e-4596-9dc3-d1a3701e071e\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\5d455455-203e-4596-9dc3-d1a3701e071e\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\5d455455-203e-4596-9dc3-d1a3701e071e\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\5d455455-203e-4596-9dc3-d1a3701e071e\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
memory/340-37-0x0000000000800000-0x0000000000801000-memory.dmpFilesize
4KB
-
memory/340-34-0x0000000001F40000-0x0000000001F51000-memory.dmpFilesize
68KB
-
memory/340-33-0x0000000000000000-mapping.dmp
-
memory/632-36-0x0000000004780000-0x0000000004781000-memory.dmpFilesize
4KB
-
memory/632-29-0x000000000046467E-mapping.dmp
-
memory/632-31-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/632-30-0x0000000074110000-0x00000000747FE000-memory.dmpFilesize
6.9MB
-
memory/632-28-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/760-23-0x0000000004860000-0x0000000004861000-memory.dmpFilesize
4KB
-
memory/760-46-0x0000000006170000-0x0000000006171000-memory.dmpFilesize
4KB
-
memory/760-70-0x00000000062D0000-0x00000000062D1000-memory.dmpFilesize
4KB
-
memory/760-69-0x00000000062C0000-0x00000000062C1000-memory.dmpFilesize
4KB
-
memory/760-55-0x00000000055D0000-0x00000000055D1000-memory.dmpFilesize
4KB
-
memory/760-26-0x0000000004822000-0x0000000004823000-memory.dmpFilesize
4KB
-
memory/760-25-0x0000000004820000-0x0000000004821000-memory.dmpFilesize
4KB
-
memory/760-27-0x00000000025D0000-0x00000000025D1000-memory.dmpFilesize
4KB
-
memory/760-20-0x0000000074110000-0x00000000747FE000-memory.dmpFilesize
6.9MB
-
memory/760-18-0x0000000000000000-mapping.dmp
-
memory/760-54-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/760-53-0x0000000006200000-0x0000000006201000-memory.dmpFilesize
4KB
-
memory/760-21-0x0000000000980000-0x0000000000981000-memory.dmpFilesize
4KB
-
memory/760-45-0x00000000056B0000-0x00000000056B1000-memory.dmpFilesize
4KB
-
memory/760-35-0x0000000004790000-0x0000000004791000-memory.dmpFilesize
4KB
-
memory/760-40-0x0000000005610000-0x0000000005611000-memory.dmpFilesize
4KB
-
memory/1512-15-0x0000000000000000-mapping.dmp
-
memory/1516-24-0x0000000000000000-mapping.dmp
-
memory/1548-22-0x0000000000000000-mapping.dmp
-
memory/1624-9-0x0000000000000000-mapping.dmp
-
memory/1624-11-0x0000000074B31000-0x0000000074B33000-memory.dmpFilesize
8KB
-
memory/1668-3-0x00000000000F0000-0x00000000000F1000-memory.dmpFilesize
4KB
-
memory/1668-2-0x0000000074110000-0x00000000747FE000-memory.dmpFilesize
6.9MB
-
memory/1668-5-0x00000000004D0000-0x00000000004D1000-memory.dmpFilesize
4KB
-
memory/1668-6-0x0000000005730000-0x000000000580B000-memory.dmpFilesize
876KB