Analysis
-
max time kernel
120s -
max time network
186s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
27-07-2021 17:08
Static task
static1
Behavioral task
behavioral1
Sample
qqwN5be4oIxaByX.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
qqwN5be4oIxaByX.exe
Resource
win10v20210410
General
-
Target
qqwN5be4oIxaByX.exe
-
Size
816KB
-
MD5
2bea67be8c5cb1d75e1b30306f7b4a88
-
SHA1
bd2094cfbfb10a266bd888a3c12bccc561186a59
-
SHA256
699482d44a6cd0c8a5e2c171315d138627e72130d5a3ff9f6bc65b992eb82517
-
SHA512
5b540816b0913b2600f77252e1e0972f9ace0dd342da84f3bee3a4b14606c59e7076d21995352e352d29f15c547a46fd61c03efc29bdff3d306e6fd5984c1f30
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
SMTP.VIVALDI.NET - Port:
587 - Username:
AKASSBABA99@VIVALDI.NET - Password:
#munachimso#
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
qqwN5be4oIxaByX.exedescription pid process target process PID 1032 set thread context of 1584 1032 qqwN5be4oIxaByX.exe qqwN5be4oIxaByX.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 432 1584 WerFault.exe qqwN5be4oIxaByX.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
qqwN5be4oIxaByX.exeWerFault.exepid process 1584 qqwN5be4oIxaByX.exe 432 WerFault.exe 432 WerFault.exe 432 WerFault.exe 432 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
qqwN5be4oIxaByX.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1584 qqwN5be4oIxaByX.exe Token: SeDebugPrivilege 432 WerFault.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
qqwN5be4oIxaByX.exeqqwN5be4oIxaByX.exedescription pid process target process PID 1032 wrote to memory of 772 1032 qqwN5be4oIxaByX.exe schtasks.exe PID 1032 wrote to memory of 772 1032 qqwN5be4oIxaByX.exe schtasks.exe PID 1032 wrote to memory of 772 1032 qqwN5be4oIxaByX.exe schtasks.exe PID 1032 wrote to memory of 772 1032 qqwN5be4oIxaByX.exe schtasks.exe PID 1032 wrote to memory of 1584 1032 qqwN5be4oIxaByX.exe qqwN5be4oIxaByX.exe PID 1032 wrote to memory of 1584 1032 qqwN5be4oIxaByX.exe qqwN5be4oIxaByX.exe PID 1032 wrote to memory of 1584 1032 qqwN5be4oIxaByX.exe qqwN5be4oIxaByX.exe PID 1032 wrote to memory of 1584 1032 qqwN5be4oIxaByX.exe qqwN5be4oIxaByX.exe PID 1032 wrote to memory of 1584 1032 qqwN5be4oIxaByX.exe qqwN5be4oIxaByX.exe PID 1032 wrote to memory of 1584 1032 qqwN5be4oIxaByX.exe qqwN5be4oIxaByX.exe PID 1032 wrote to memory of 1584 1032 qqwN5be4oIxaByX.exe qqwN5be4oIxaByX.exe PID 1032 wrote to memory of 1584 1032 qqwN5be4oIxaByX.exe qqwN5be4oIxaByX.exe PID 1032 wrote to memory of 1584 1032 qqwN5be4oIxaByX.exe qqwN5be4oIxaByX.exe PID 1584 wrote to memory of 432 1584 qqwN5be4oIxaByX.exe WerFault.exe PID 1584 wrote to memory of 432 1584 qqwN5be4oIxaByX.exe WerFault.exe PID 1584 wrote to memory of 432 1584 qqwN5be4oIxaByX.exe WerFault.exe PID 1584 wrote to memory of 432 1584 qqwN5be4oIxaByX.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\qqwN5be4oIxaByX.exe"C:\Users\Admin\AppData\Local\Temp\qqwN5be4oIxaByX.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CskrxfA" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC0C0.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\qqwN5be4oIxaByX.exe"C:\Users\Admin\AppData\Local\Temp\qqwN5be4oIxaByX.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 11003⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpC0C0.tmpMD5
4b6ba95fce0fa7983da520a3cd1e20f3
SHA135ffd38230fd5e87f162393274491aa2ba97f286
SHA256dbd8496ad87d774013445c7595a7a24102598217b4142f370b01abc1ddc2284b
SHA512309941fd6c9add48419f3fe50800dab8988540229cb25965d3ab58fcd1c872224dc1254de36954eea0f6d024b3641db91b2f2e81660f177e714a3bd799911707
-
memory/432-74-0x00000000004E0000-0x00000000004E1000-memory.dmpFilesize
4KB
-
memory/432-73-0x0000000000000000-mapping.dmp
-
memory/772-66-0x0000000000000000-mapping.dmp
-
memory/1032-64-0x0000000001020000-0x0000000001085000-memory.dmpFilesize
404KB
-
memory/1032-65-0x0000000000640000-0x0000000000664000-memory.dmpFilesize
144KB
-
memory/1032-60-0x00000000012B0000-0x00000000012B1000-memory.dmpFilesize
4KB
-
memory/1032-63-0x0000000000390000-0x00000000003AB000-memory.dmpFilesize
108KB
-
memory/1032-62-0x0000000004EC0000-0x0000000004EC1000-memory.dmpFilesize
4KB
-
memory/1584-68-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1584-69-0x000000000041F86E-mapping.dmp
-
memory/1584-70-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1584-72-0x0000000004B20000-0x0000000004B21000-memory.dmpFilesize
4KB