Analysis
-
max time kernel
102s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-06-2021 09:11
Static task
static1
Behavioral task
behavioral1
Sample
bad.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
bad.exe
Resource
win10v20210410
General
-
Target
bad.exe
-
Size
444KB
-
MD5
e869d577fdb63504a7886dafda500ff5
-
SHA1
7f1067d951f5dfe33323076e558c53c96ae140f2
-
SHA256
6d22e09e56ea48a1f1f3e84a511bae12f9aac12025e722c4463f845fe6495c5b
-
SHA512
dd70868c3b534e1c2a8e8d9ff149fc36cae6a0604073da405285289249924af8ef9422f819db7502b9e734dc7d78af633a16e571b48d23e95bc29378c0fe0c23
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
gmicaprelam.in - Port:
587 - Username:
morgan@gmicaprelam.in - Password:
morgan2424@
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/860-117-0x0000000000590000-0x00000000005F8000-memory.dmp family_snakekeylogger behavioral2/memory/860-122-0x0000000004AC0000-0x0000000004FBE000-memory.dmp family_snakekeylogger -
Loads dropped DLL 2 IoCs
Processes:
bad.exepid process 4048 bad.exe 4048 bad.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 checkip.dyndns.org 10 freegeoip.app 11 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bad.exedescription pid process target process PID 4048 set thread context of 860 4048 bad.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
bad.exeMSBuild.exepid process 4048 bad.exe 4048 bad.exe 4048 bad.exe 4048 bad.exe 4048 bad.exe 4048 bad.exe 4048 bad.exe 4048 bad.exe 860 MSBuild.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
bad.exepid process 4048 bad.exe 4048 bad.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 860 MSBuild.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
bad.exedescription pid process target process PID 4048 wrote to memory of 860 4048 bad.exe MSBuild.exe PID 4048 wrote to memory of 860 4048 bad.exe MSBuild.exe PID 4048 wrote to memory of 860 4048 bad.exe MSBuild.exe PID 4048 wrote to memory of 860 4048 bad.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bad.exe"C:\Users\Admin\AppData\Local\Temp\bad.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Users\Admin\AppData\Local\Temp\bad.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsw1813.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nsw1813.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
memory/860-116-0x00000000005F202E-mapping.dmp
-
memory/860-117-0x0000000000590000-0x00000000005F8000-memory.dmpFilesize
416KB
-
memory/860-119-0x0000000004FC0000-0x0000000004FC1000-memory.dmpFilesize
4KB
-
memory/860-120-0x0000000004C00000-0x0000000004C01000-memory.dmpFilesize
4KB
-
memory/860-121-0x0000000005B90000-0x0000000005B91000-memory.dmpFilesize
4KB
-
memory/860-123-0x0000000005D60000-0x0000000005D61000-memory.dmpFilesize
4KB
-
memory/860-122-0x0000000004AC0000-0x0000000004FBE000-memory.dmpFilesize
5.0MB
-
memory/860-124-0x0000000005E10000-0x0000000005E11000-memory.dmpFilesize
4KB