Analysis
-
max time kernel
105s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
18-06-2021 12:02
Static task
static1
Behavioral task
behavioral1
Sample
consignment details.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
consignment details.exe
Resource
win10v20210408
General
-
Target
consignment details.exe
-
Size
174KB
-
MD5
d8a960f613e009eef9f81887a39e7cd0
-
SHA1
52e658fc0d3d436594c06d1b9a75d2c065622d9f
-
SHA256
7598d6cadbbded8074763a1e8b0e8c24f125c0ceaf194c9f386acf9e8a811a28
-
SHA512
441abf3939ada9b4e33f1c6452715295bc375559fb96ff39d15975417eaac78832d97b9b6dcbc67629de5803995a541ca90129fd1c7dae13320c107e8fc9e8ea
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
msonsgroup.in - Port:
587 - Username:
speak@msonsgroup.in - Password:
speak2424@
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Loads dropped DLL 2 IoCs
Processes:
consignment details.exepid process 804 consignment details.exe 804 consignment details.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 checkip.dyndns.org 14 freegeoip.app 15 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
consignment details.exedescription pid process target process PID 804 set thread context of 4008 804 consignment details.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
consignment details.exeMSBuild.exepid process 804 consignment details.exe 804 consignment details.exe 804 consignment details.exe 804 consignment details.exe 804 consignment details.exe 804 consignment details.exe 804 consignment details.exe 804 consignment details.exe 4008 MSBuild.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
consignment details.exepid process 804 consignment details.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 4008 MSBuild.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
consignment details.exedescription pid process target process PID 804 wrote to memory of 4008 804 consignment details.exe MSBuild.exe PID 804 wrote to memory of 4008 804 consignment details.exe MSBuild.exe PID 804 wrote to memory of 4008 804 consignment details.exe MSBuild.exe PID 804 wrote to memory of 4008 804 consignment details.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\consignment details.exe"C:\Users\Admin\AppData\Local\Temp\consignment details.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Users\Admin\AppData\Local\Temp\consignment details.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsm8B9D.tmp\System.dllMD5
56a321bd011112ec5d8a32b2f6fd3231
SHA1df20e3a35a1636de64df5290ae5e4e7572447f78
SHA256bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1
SHA5125354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3
-
\Users\Admin\AppData\Local\Temp\nsm8B9D.tmp\System.dllMD5
56a321bd011112ec5d8a32b2f6fd3231
SHA1df20e3a35a1636de64df5290ae5e4e7572447f78
SHA256bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1
SHA5125354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3
-
memory/4008-116-0x000000000041F85E-mapping.dmp
-
memory/4008-117-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4008-119-0x0000000005CD0000-0x0000000005CD1000-memory.dmpFilesize
4KB
-
memory/4008-120-0x0000000005870000-0x0000000005871000-memory.dmpFilesize
4KB
-
memory/4008-121-0x00000000057D0000-0x0000000005CCE000-memory.dmpFilesize
5.0MB
-
memory/4008-122-0x00000000068E0000-0x00000000068E1000-memory.dmpFilesize
4KB
-
memory/4008-123-0x00000000067E0000-0x00000000067E1000-memory.dmpFilesize
4KB
-
memory/4008-124-0x0000000006790000-0x0000000006791000-memory.dmpFilesize
4KB