Analysis
-
max time kernel
124s -
max time network
120s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
04-05-2021 15:24
Static task
static1
Behavioral task
behavioral1
Sample
DHL 4677348255142.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
DHL 4677348255142.exe
Resource
win10v20210410
General
-
Target
DHL 4677348255142.exe
-
Size
606KB
-
MD5
4eb10dfd43a4d6415e554316cd1bc288
-
SHA1
0a488404456576535cb7acbbaa948fc5053f30f5
-
SHA256
6cf104c9a72fd0d57d3a9e6be82836cb66e74a89cac1890d36a37c8d7452cd8c
-
SHA512
9605a587666642348e3b0c56b3f98b190e3c74f5aa3b42255e30148d6168473ec8990d71e813c12ecf84e4e6b8f01b5bd84ef6372050eff88402704eb3c2c44c
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.almatls.com - Port:
587 - Username:
ewalogs@almatls.com - Password:
0c0qf7xTL1
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1504-68-0x0000000000400000-0x000000000046A000-memory.dmp family_snakekeylogger behavioral1/memory/1504-69-0x00000000004645CE-mapping.dmp family_snakekeylogger behavioral1/memory/1504-70-0x0000000000400000-0x000000000046A000-memory.dmp family_snakekeylogger -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 freegeoip.app 11 freegeoip.app 5 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHL 4677348255142.exedescription pid process target process PID 280 set thread context of 1504 280 DHL 4677348255142.exe DHL 4677348255142.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
DHL 4677348255142.exepid process 1504 DHL 4677348255142.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
DHL 4677348255142.exedescription pid process Token: SeDebugPrivilege 1504 DHL 4677348255142.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
DHL 4677348255142.exedescription pid process target process PID 280 wrote to memory of 1312 280 DHL 4677348255142.exe schtasks.exe PID 280 wrote to memory of 1312 280 DHL 4677348255142.exe schtasks.exe PID 280 wrote to memory of 1312 280 DHL 4677348255142.exe schtasks.exe PID 280 wrote to memory of 1312 280 DHL 4677348255142.exe schtasks.exe PID 280 wrote to memory of 1504 280 DHL 4677348255142.exe DHL 4677348255142.exe PID 280 wrote to memory of 1504 280 DHL 4677348255142.exe DHL 4677348255142.exe PID 280 wrote to memory of 1504 280 DHL 4677348255142.exe DHL 4677348255142.exe PID 280 wrote to memory of 1504 280 DHL 4677348255142.exe DHL 4677348255142.exe PID 280 wrote to memory of 1504 280 DHL 4677348255142.exe DHL 4677348255142.exe PID 280 wrote to memory of 1504 280 DHL 4677348255142.exe DHL 4677348255142.exe PID 280 wrote to memory of 1504 280 DHL 4677348255142.exe DHL 4677348255142.exe PID 280 wrote to memory of 1504 280 DHL 4677348255142.exe DHL 4677348255142.exe PID 280 wrote to memory of 1504 280 DHL 4677348255142.exe DHL 4677348255142.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL 4677348255142.exe"C:\Users\Admin\AppData\Local\Temp\DHL 4677348255142.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cfTQyYsAKIAw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp340B.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\DHL 4677348255142.exe"C:\Users\Admin\AppData\Local\Temp\DHL 4677348255142.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp340B.tmpMD5
a59943c8c5b83bd1ffce73e82071623d
SHA1c63d168e125daec6541f34854123f208b541aa3f
SHA2563d00558329cbe1402c85b2955cbd484c3ffe75e65c757c1cbeb984ef624885b1
SHA51245f751d62b7ada712c92e304260292f452593bb010d075e77213651643617f109e486ab3c2e745f1b7ed9118bf6ea7ecdb20bdb1fb80a9f84d8a9e38475a0e29
-
memory/280-60-0x0000000001210000-0x0000000001211000-memory.dmpFilesize
4KB
-
memory/280-62-0x0000000004EE0000-0x0000000004EE1000-memory.dmpFilesize
4KB
-
memory/280-63-0x0000000000560000-0x000000000056E000-memory.dmpFilesize
56KB
-
memory/280-64-0x0000000004780000-0x00000000047E7000-memory.dmpFilesize
412KB
-
memory/280-65-0x0000000004E00000-0x0000000004E6B000-memory.dmpFilesize
428KB
-
memory/1312-66-0x0000000000000000-mapping.dmp
-
memory/1504-68-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1504-69-0x00000000004645CE-mapping.dmp
-
memory/1504-70-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1504-72-0x0000000004D60000-0x0000000004D61000-memory.dmpFilesize
4KB