Analysis
-
max time kernel
18s -
max time network
118s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
11-05-2021 11:10
Static task
static1
Behavioral task
behavioral1
Sample
be8928c5_by_Libranalysis.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
be8928c5_by_Libranalysis.exe
Resource
win10v20210410
General
-
Target
be8928c5_by_Libranalysis.exe
-
Size
576KB
-
MD5
be8928c5a8b81bd3dc8c5c031bffb529
-
SHA1
f5a55492ca257306cb51b10169cf37bb6bee4caf
-
SHA256
b9b7c8c13a609e6a8ecdafaf039b5f7505f7fb72d444a41ff7705a8a249e4b4b
-
SHA512
c8b5c29602ea94d5b605bc57a7934f91b6be3711dfd865c06409abc88aaded09922cea5f7c7e940651e8b0d5918a8b76e6c249ab57da3d243a67f0cc377892f4
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
smtp.ionos.com - Port:
587 - Username:
office@airtechair.net - Password:
Airtech2010@
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2008-65-0x0000000000400000-0x0000000000478000-memory.dmp family_snakekeylogger behavioral1/memory/2008-66-0x0000000001DA0000-0x0000000001E03000-memory.dmp family_snakekeylogger -
Loads dropped DLL 1 IoCs
Processes:
be8928c5_by_Libranalysis.exepid process 980 be8928c5_by_Libranalysis.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
be8928c5_by_Libranalysis.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ehubrd = "C:\\Users\\Admin\\AppData\\Roaming\\dsxra\\ghqtlv.exe" be8928c5_by_Libranalysis.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 checkip.dyndns.org 10 freegeoip.app 11 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
be8928c5_by_Libranalysis.exedescription pid process target process PID 980 set thread context of 2008 980 be8928c5_by_Libranalysis.exe be8928c5_by_Libranalysis.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
be8928c5_by_Libranalysis.exepid process 2008 be8928c5_by_Libranalysis.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
be8928c5_by_Libranalysis.exepid process 980 be8928c5_by_Libranalysis.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
be8928c5_by_Libranalysis.exedescription pid process Token: SeDebugPrivilege 2008 be8928c5_by_Libranalysis.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
be8928c5_by_Libranalysis.exedescription pid process target process PID 980 wrote to memory of 2008 980 be8928c5_by_Libranalysis.exe be8928c5_by_Libranalysis.exe PID 980 wrote to memory of 2008 980 be8928c5_by_Libranalysis.exe be8928c5_by_Libranalysis.exe PID 980 wrote to memory of 2008 980 be8928c5_by_Libranalysis.exe be8928c5_by_Libranalysis.exe PID 980 wrote to memory of 2008 980 be8928c5_by_Libranalysis.exe be8928c5_by_Libranalysis.exe PID 980 wrote to memory of 2008 980 be8928c5_by_Libranalysis.exe be8928c5_by_Libranalysis.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\be8928c5_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\be8928c5_by_Libranalysis.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\be8928c5_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\be8928c5_by_Libranalysis.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsd9780.tmp\soiovgmvyq6.dllMD5
045d1c71d5d4ed65dae388d75d1c9578
SHA1d305920290dcf113b5bf16ebd93ecc41f2857a55
SHA2562b7927f1ecf4ca76c066ef892edcae560a9682cb2dd2ef388e07a62f81746931
SHA512efd0f432e89ee7eee94386c79d828ef6b4c47f40ce00b1d189e4c8dca04b62695fdbfa0b0e0499fcaf97d6e30fa4cb8098986962803ee308f2ccf465dc0812d8
-
memory/980-60-0x0000000075FF1000-0x0000000075FF3000-memory.dmpFilesize
8KB
-
memory/980-64-0x0000000000560000-0x0000000000563000-memory.dmpFilesize
12KB
-
memory/2008-62-0x000000000040188B-mapping.dmp
-
memory/2008-65-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/2008-66-0x0000000001DA0000-0x0000000001E03000-memory.dmpFilesize
396KB
-
memory/2008-68-0x00000000020A1000-0x00000000020A2000-memory.dmpFilesize
4KB
-
memory/2008-69-0x00000000020A2000-0x00000000020A3000-memory.dmpFilesize
4KB
-
memory/2008-70-0x00000000020A3000-0x00000000020A4000-memory.dmpFilesize
4KB
-
memory/2008-71-0x00000000020A4000-0x00000000020A5000-memory.dmpFilesize
4KB