Overview

overview

10

Static

static

QUOTATION.exe

windows7_x64

10

QUOTATION.exe

windows10_x64

10

Analysis

  • max time kernel
    114s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    07-06-2021 09:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    QUOTATION.exe

  • Size

    1.0MB

  • MD5

    bdc873a7a6e41514faa0d8294731b3b5

  • SHA1

    7230e4e49239643b5c379a8d4d01f6d24fff757e

  • SHA256

    8b1702fd70eb89fd46daedb3bfb9dd421ed059b6d6e8acdfb04ddc360481e081

  • SHA512

    c8d47420885a2ef1644ef237120692f062214ed9fd72e09e285a0a8619df1335ade3219e0b0695ee135d1ca27b26836e5a0b94b0069217ae67c2da6e8833a49e

Score
10/10
snakekeyloggerevasionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    smtp.vivaldi.net
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    oluwagozie123

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe
    "C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"
    1⤵
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:684
    • C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe
      "C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1648

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/684-74-0x00000000046E0000-0x00000000046E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/684-96-0x0000000005610000-0x0000000005611000-memory.dmp

    Filesize

    4KB

    Download

  • memory/684-111-0x0000000006310000-0x0000000006311000-memory.dmp

    Filesize

    4KB

    Download

  • memory/684-110-0x0000000006300000-0x0000000006301000-memory.dmp

    Filesize

    4KB

    Download

  • memory/684-75-0x00000000046E2000-0x00000000046E3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/684-66-0x0000000000000000-mapping.dmp

    Download

  • memory/684-67-0x0000000075161000-0x0000000075163000-memory.dmp

    Filesize

    8KB

    Download

  • memory/684-78-0x0000000005240000-0x0000000005241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/684-70-0x0000000002280000-0x0000000002281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/684-95-0x000000007EF30000-0x000000007EF31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/684-72-0x0000000004720000-0x0000000004721000-memory.dmp

    Filesize

    4KB

    Download

  • memory/684-94-0x0000000006280000-0x0000000006281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/684-87-0x00000000061C0000-0x00000000061C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/684-86-0x0000000005710000-0x0000000005711000-memory.dmp

    Filesize

    4KB

    Download

  • memory/684-81-0x0000000005650000-0x0000000005651000-memory.dmp

    Filesize

    4KB

    Download

  • memory/684-77-0x0000000002560000-0x0000000002561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1648-76-0x0000000002330000-0x0000000002331000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1648-68-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1648-71-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1648-69-0x000000000041F86E-mapping.dmp

    Download

  • memory/1720-65-0x0000000004D30000-0x0000000004D61000-memory.dmp

    Filesize

    196KB

    Download

  • memory/1720-63-0x00000000047F0000-0x00000000047F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1720-62-0x0000000000710000-0x000000000072E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1720-64-0x0000000004EA0000-0x0000000004F13000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1720-60-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

    Filesize

    4KB

    Download