Analysis
-
max time kernel
134s -
max time network
133s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-02-2021 07:13
Static task
static1
Behavioral task
behavioral1
Sample
PROFORMA INVOICE.scr
Resource
win7v20201028
Behavioral task
behavioral2
Sample
PROFORMA INVOICE.scr
Resource
win10v20201028
General
-
Target
PROFORMA INVOICE.scr
-
Size
22KB
-
MD5
4480e5c41df955746e6b762828e64ddb
-
SHA1
75fd2876572e72da98a99065152c338f935d722f
-
SHA256
98bba6280dc438b35e3d0a4f468d1e50dd44bdafdd3e8c396a6dacf6be50fd71
-
SHA512
92db76915c468ab2e3a1185b3ee5a0d8849bfb623e5bfdf0fa128a002b16e768097b9440c905a4cb38b70aee9b36c21ce2db57f150f93fc5845ff5f667957a41
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/632-29-0x000000000046467E-mapping.dmp family_snakekeylogger behavioral1/memory/632-28-0x0000000000400000-0x000000000046A000-memory.dmp family_snakekeylogger behavioral1/memory/632-31-0x0000000000400000-0x000000000046A000-memory.dmp family_snakekeylogger -
Nirsoft 7 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\5d455455-203e-4596-9dc3-d1a3701e071e\AdvancedRun.exe Nirsoft \Users\Admin\AppData\Local\Temp\5d455455-203e-4596-9dc3-d1a3701e071e\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\5d455455-203e-4596-9dc3-d1a3701e071e\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\5d455455-203e-4596-9dc3-d1a3701e071e\AdvancedRun.exe Nirsoft \Users\Admin\AppData\Local\Temp\5d455455-203e-4596-9dc3-d1a3701e071e\AdvancedRun.exe Nirsoft \Users\Admin\AppData\Local\Temp\5d455455-203e-4596-9dc3-d1a3701e071e\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\5d455455-203e-4596-9dc3-d1a3701e071e\AdvancedRun.exe Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exepid process 1624 AdvancedRun.exe 1512 AdvancedRun.exe -
Loads dropped DLL 4 IoCs
Processes:
PROFORMA INVOICE.scrAdvancedRun.exepid process 1668 PROFORMA INVOICE.scr 1668 PROFORMA INVOICE.scr 1624 AdvancedRun.exe 1624 AdvancedRun.exe -
Processes:
PROFORMA INVOICE.scrdescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" PROFORMA INVOICE.scr Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features PROFORMA INVOICE.scr Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" PROFORMA INVOICE.scr Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths PROFORMA INVOICE.scr Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions PROFORMA INVOICE.scr Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.scr = "0" PROFORMA INVOICE.scr Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection PROFORMA INVOICE.scr Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" PROFORMA INVOICE.scr -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 checkip.dyndns.org 14 freegeoip.app 15 freegeoip.app -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
PROFORMA INVOICE.scrpid process 1668 PROFORMA INVOICE.scr 1668 PROFORMA INVOICE.scr 1668 PROFORMA INVOICE.scr 1668 PROFORMA INVOICE.scr 1668 PROFORMA INVOICE.scr 1668 PROFORMA INVOICE.scr 1668 PROFORMA INVOICE.scr 1668 PROFORMA INVOICE.scr 1668 PROFORMA INVOICE.scr 1668 PROFORMA INVOICE.scr 1668 PROFORMA INVOICE.scr 1668 PROFORMA INVOICE.scr -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PROFORMA INVOICE.scrdescription pid process target process PID 1668 set thread context of 632 1668 PROFORMA INVOICE.scr regsvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 340 1668 WerFault.exe PROFORMA INVOICE.scr -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1516 timeout.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exepowershell.exePROFORMA INVOICE.scrregsvcs.exeWerFault.exepid process 1624 AdvancedRun.exe 1624 AdvancedRun.exe 1512 AdvancedRun.exe 1512 AdvancedRun.exe 760 powershell.exe 1668 PROFORMA INVOICE.scr 1668 PROFORMA INVOICE.scr 1668 PROFORMA INVOICE.scr 632 regsvcs.exe 760 powershell.exe 340 WerFault.exe 340 WerFault.exe 340 WerFault.exe 340 WerFault.exe 340 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
PROFORMA INVOICE.scrAdvancedRun.exeAdvancedRun.exepowershell.exeregsvcs.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1668 PROFORMA INVOICE.scr Token: SeDebugPrivilege 1624 AdvancedRun.exe Token: SeImpersonatePrivilege 1624 AdvancedRun.exe Token: SeDebugPrivilege 1512 AdvancedRun.exe Token: SeImpersonatePrivilege 1512 AdvancedRun.exe Token: SeDebugPrivilege 760 powershell.exe Token: SeDebugPrivilege 632 regsvcs.exe Token: SeDebugPrivilege 340 WerFault.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
PROFORMA INVOICE.scrAdvancedRun.execmd.exedescription pid process target process PID 1668 wrote to memory of 1624 1668 PROFORMA INVOICE.scr AdvancedRun.exe PID 1668 wrote to memory of 1624 1668 PROFORMA INVOICE.scr AdvancedRun.exe PID 1668 wrote to memory of 1624 1668 PROFORMA INVOICE.scr AdvancedRun.exe PID 1668 wrote to memory of 1624 1668 PROFORMA INVOICE.scr AdvancedRun.exe PID 1624 wrote to memory of 1512 1624 AdvancedRun.exe AdvancedRun.exe PID 1624 wrote to memory of 1512 1624 AdvancedRun.exe AdvancedRun.exe PID 1624 wrote to memory of 1512 1624 AdvancedRun.exe AdvancedRun.exe PID 1624 wrote to memory of 1512 1624 AdvancedRun.exe AdvancedRun.exe PID 1668 wrote to memory of 760 1668 PROFORMA INVOICE.scr powershell.exe PID 1668 wrote to memory of 760 1668 PROFORMA INVOICE.scr powershell.exe PID 1668 wrote to memory of 760 1668 PROFORMA INVOICE.scr powershell.exe PID 1668 wrote to memory of 760 1668 PROFORMA INVOICE.scr powershell.exe PID 1668 wrote to memory of 1548 1668 PROFORMA INVOICE.scr cmd.exe PID 1668 wrote to memory of 1548 1668 PROFORMA INVOICE.scr cmd.exe PID 1668 wrote to memory of 1548 1668 PROFORMA INVOICE.scr cmd.exe PID 1668 wrote to memory of 1548 1668 PROFORMA INVOICE.scr cmd.exe PID 1548 wrote to memory of 1516 1548 cmd.exe timeout.exe PID 1548 wrote to memory of 1516 1548 cmd.exe timeout.exe PID 1548 wrote to memory of 1516 1548 cmd.exe timeout.exe PID 1548 wrote to memory of 1516 1548 cmd.exe timeout.exe PID 1668 wrote to memory of 632 1668 PROFORMA INVOICE.scr regsvcs.exe PID 1668 wrote to memory of 632 1668 PROFORMA INVOICE.scr regsvcs.exe PID 1668 wrote to memory of 632 1668 PROFORMA INVOICE.scr regsvcs.exe PID 1668 wrote to memory of 632 1668 PROFORMA INVOICE.scr regsvcs.exe PID 1668 wrote to memory of 632 1668 PROFORMA INVOICE.scr regsvcs.exe PID 1668 wrote to memory of 632 1668 PROFORMA INVOICE.scr regsvcs.exe PID 1668 wrote to memory of 632 1668 PROFORMA INVOICE.scr regsvcs.exe PID 1668 wrote to memory of 632 1668 PROFORMA INVOICE.scr regsvcs.exe PID 1668 wrote to memory of 632 1668 PROFORMA INVOICE.scr regsvcs.exe PID 1668 wrote to memory of 632 1668 PROFORMA INVOICE.scr regsvcs.exe PID 1668 wrote to memory of 632 1668 PROFORMA INVOICE.scr regsvcs.exe PID 1668 wrote to memory of 632 1668 PROFORMA INVOICE.scr regsvcs.exe PID 1668 wrote to memory of 340 1668 PROFORMA INVOICE.scr WerFault.exe PID 1668 wrote to memory of 340 1668 PROFORMA INVOICE.scr WerFault.exe PID 1668 wrote to memory of 340 1668 PROFORMA INVOICE.scr WerFault.exe PID 1668 wrote to memory of 340 1668 PROFORMA INVOICE.scr WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.scr"C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.scr" /S1⤵
- Loads dropped DLL
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5d455455-203e-4596-9dc3-d1a3701e071e\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\5d455455-203e-4596-9dc3-d1a3701e071e\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\5d455455-203e-4596-9dc3-d1a3701e071e\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5d455455-203e-4596-9dc3-d1a3701e071e\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\5d455455-203e-4596-9dc3-d1a3701e071e\AdvancedRun.exe" /SpecialRun 4101d8 16243⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.scr" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 14402⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5d455455-203e-4596-9dc3-d1a3701e071e\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\5d455455-203e-4596-9dc3-d1a3701e071e\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\5d455455-203e-4596-9dc3-d1a3701e071e\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\5d455455-203e-4596-9dc3-d1a3701e071e\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\5d455455-203e-4596-9dc3-d1a3701e071e\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\5d455455-203e-4596-9dc3-d1a3701e071e\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\5d455455-203e-4596-9dc3-d1a3701e071e\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
memory/340-37-0x0000000000800000-0x0000000000801000-memory.dmpFilesize
4KB
-
memory/340-34-0x0000000001F40000-0x0000000001F51000-memory.dmpFilesize
68KB
-
memory/340-33-0x0000000000000000-mapping.dmp
-
memory/632-36-0x0000000004780000-0x0000000004781000-memory.dmpFilesize
4KB
-
memory/632-29-0x000000000046467E-mapping.dmp
-
memory/632-31-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/632-30-0x0000000074110000-0x00000000747FE000-memory.dmpFilesize
6.9MB
-
memory/632-28-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/760-23-0x0000000004860000-0x0000000004861000-memory.dmpFilesize
4KB
-
memory/760-46-0x0000000006170000-0x0000000006171000-memory.dmpFilesize
4KB
-
memory/760-70-0x00000000062D0000-0x00000000062D1000-memory.dmpFilesize
4KB
-
memory/760-69-0x00000000062C0000-0x00000000062C1000-memory.dmpFilesize
4KB
-
memory/760-55-0x00000000055D0000-0x00000000055D1000-memory.dmpFilesize
4KB
-
memory/760-26-0x0000000004822000-0x0000000004823000-memory.dmpFilesize
4KB
-
memory/760-25-0x0000000004820000-0x0000000004821000-memory.dmpFilesize
4KB
-
memory/760-27-0x00000000025D0000-0x00000000025D1000-memory.dmpFilesize
4KB
-
memory/760-20-0x0000000074110000-0x00000000747FE000-memory.dmpFilesize
6.9MB
-
memory/760-18-0x0000000000000000-mapping.dmp
-
memory/760-54-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/760-53-0x0000000006200000-0x0000000006201000-memory.dmpFilesize
4KB
-
memory/760-21-0x0000000000980000-0x0000000000981000-memory.dmpFilesize
4KB
-
memory/760-45-0x00000000056B0000-0x00000000056B1000-memory.dmpFilesize
4KB
-
memory/760-35-0x0000000004790000-0x0000000004791000-memory.dmpFilesize
4KB
-
memory/760-40-0x0000000005610000-0x0000000005611000-memory.dmpFilesize
4KB
-
memory/1512-15-0x0000000000000000-mapping.dmp
-
memory/1516-24-0x0000000000000000-mapping.dmp
-
memory/1548-22-0x0000000000000000-mapping.dmp
-
memory/1624-9-0x0000000000000000-mapping.dmp
-
memory/1624-11-0x0000000074B31000-0x0000000074B33000-memory.dmpFilesize
8KB
-
memory/1668-3-0x00000000000F0000-0x00000000000F1000-memory.dmpFilesize
4KB
-
memory/1668-2-0x0000000074110000-0x00000000747FE000-memory.dmpFilesize
6.9MB
-
memory/1668-5-0x00000000004D0000-0x00000000004D1000-memory.dmpFilesize
4KB
-
memory/1668-6-0x0000000005730000-0x000000000580B000-memory.dmpFilesize
876KB