Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-07-2021 16:01
Static task
static1
Behavioral task
behavioral1
Sample
SOA.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
SOA.exe
Resource
win10v20210410
General
-
Target
SOA.exe
-
Size
848KB
-
MD5
d9344c912365aabd84371a9af639f7d2
-
SHA1
b57633c65e2589e00622eb589825c72ab4ce77ff
-
SHA256
bf8a6acb579ba856c81bef70a2a4d8050448fa341473893cecc21d0fa34f4f65
-
SHA512
4de960219fdf45939f2500b499a90aa4a00ae88276c81d5197a57113816109aad2426bcfbb50007123d664867a75f6201d66d04b3e2ba9a59a2ecbb0482eb64e
Malware Config
Extracted
Protocol: smtp- Host:
smtp.mpjewellers.com - Port:
587 - Username:
midnapore@mpjewellers.com - Password:
mpjw2013
Extracted
snakekeylogger
Protocol: smtp- Host:
smtp.mpjewellers.com - Port:
587 - Username:
midnapore@mpjewellers.com - Password:
mpjw2013
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 17 freegeoip.app 18 freegeoip.app 15 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SOA.exedescription pid process target process PID 4024 set thread context of 3076 4024 SOA.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
SOA.exeRegSvcs.exepid process 4024 SOA.exe 4024 SOA.exe 4024 SOA.exe 4024 SOA.exe 4024 SOA.exe 4024 SOA.exe 4024 SOA.exe 4024 SOA.exe 4024 SOA.exe 3076 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SOA.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 4024 SOA.exe Token: SeDebugPrivilege 3076 RegSvcs.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
SOA.exedescription pid process target process PID 4024 wrote to memory of 3108 4024 SOA.exe schtasks.exe PID 4024 wrote to memory of 3108 4024 SOA.exe schtasks.exe PID 4024 wrote to memory of 3108 4024 SOA.exe schtasks.exe PID 4024 wrote to memory of 4092 4024 SOA.exe RegSvcs.exe PID 4024 wrote to memory of 4092 4024 SOA.exe RegSvcs.exe PID 4024 wrote to memory of 4092 4024 SOA.exe RegSvcs.exe PID 4024 wrote to memory of 1584 4024 SOA.exe RegSvcs.exe PID 4024 wrote to memory of 1584 4024 SOA.exe RegSvcs.exe PID 4024 wrote to memory of 1584 4024 SOA.exe RegSvcs.exe PID 4024 wrote to memory of 1308 4024 SOA.exe RegSvcs.exe PID 4024 wrote to memory of 1308 4024 SOA.exe RegSvcs.exe PID 4024 wrote to memory of 1308 4024 SOA.exe RegSvcs.exe PID 4024 wrote to memory of 1272 4024 SOA.exe RegSvcs.exe PID 4024 wrote to memory of 1272 4024 SOA.exe RegSvcs.exe PID 4024 wrote to memory of 1272 4024 SOA.exe RegSvcs.exe PID 4024 wrote to memory of 3076 4024 SOA.exe RegSvcs.exe PID 4024 wrote to memory of 3076 4024 SOA.exe RegSvcs.exe PID 4024 wrote to memory of 3076 4024 SOA.exe RegSvcs.exe PID 4024 wrote to memory of 3076 4024 SOA.exe RegSvcs.exe PID 4024 wrote to memory of 3076 4024 SOA.exe RegSvcs.exe PID 4024 wrote to memory of 3076 4024 SOA.exe RegSvcs.exe PID 4024 wrote to memory of 3076 4024 SOA.exe RegSvcs.exe PID 4024 wrote to memory of 3076 4024 SOA.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SOA.exe"C:\Users\Admin\AppData\Local\Temp\SOA.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OGQgvVcgJmlf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC74D.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpC74D.tmpMD5
01f575c2ca155d1d787cf888a6d2bf38
SHA1930558f825cf2b452282d4568e6252b07178a1c7
SHA256c6a31dbc14f7ca52363757178a77fb6b87ab906c20a530286fb8e567d0f50093
SHA512140114dac721d18a64a29f42f628e883446fc40863f1b65310060b3bbd5ca797e8e177cb3b7bf7b0f87d7b367553e9091a81c67ce1975f4db8741b61c3eda8a0
-
memory/3076-134-0x00000000068D0000-0x00000000068D1000-memory.dmpFilesize
4KB
-
memory/3076-132-0x0000000005700000-0x0000000005BFE000-memory.dmpFilesize
5.0MB
-
memory/3076-127-0x000000000041F00E-mapping.dmp
-
memory/3076-126-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/3108-124-0x0000000000000000-mapping.dmp
-
memory/4024-118-0x0000000004AF0000-0x0000000004AF1000-memory.dmpFilesize
4KB
-
memory/4024-122-0x0000000007420000-0x00000000074C9000-memory.dmpFilesize
676KB
-
memory/4024-123-0x00000000072D0000-0x000000000732F000-memory.dmpFilesize
380KB
-
memory/4024-121-0x0000000004A50000-0x0000000004F4E000-memory.dmpFilesize
5.0MB
-
memory/4024-120-0x0000000004F30000-0x0000000004F32000-memory.dmpFilesize
8KB
-
memory/4024-119-0x0000000007130000-0x0000000007131000-memory.dmpFilesize
4KB
-
memory/4024-114-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/4024-117-0x0000000004B30000-0x0000000004B31000-memory.dmpFilesize
4KB
-
memory/4024-116-0x0000000004F50000-0x0000000004F51000-memory.dmpFilesize
4KB