Analysis
-
max time kernel
67s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-07-2021 22:03
Static task
static1
Behavioral task
behavioral1
Sample
fatura.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
fatura.exe
Resource
win10v20210410
General
-
Target
fatura.exe
-
Size
1.1MB
-
MD5
6a9d0ec45e52137abf05b546151dc664
-
SHA1
2ea215c3bac1316746fb0ddb9ad7be216a596220
-
SHA256
9c247a73a2b93a70b14c37b1dbf564f38db8bb9a0e7160de1971655a4e02950a
-
SHA512
4b0a78c6da7c010c81d36d1e9ae70b60059e1e19b589221329bb447d798db0b36015e07fe7c282fc0250b409845376dd8e1651725cd8783883084d9891de994e
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.ergrafica.com.ar - Port:
587 - Username:
trabajos@ergrafica.com.ar - Password:
25834931Cecilia
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fatura.exedescription pid process target process PID 4036 set thread context of 4024 4036 fatura.exe fatura.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
fatura.exefatura.exedw20.exepid process 4036 fatura.exe 4036 fatura.exe 4036 fatura.exe 4036 fatura.exe 4024 fatura.exe 3952 dw20.exe 3952 dw20.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
fatura.exefatura.exedw20.exedescription pid process Token: SeDebugPrivilege 4036 fatura.exe Token: SeDebugPrivilege 4024 fatura.exe Token: SeRestorePrivilege 3952 dw20.exe Token: SeBackupPrivilege 3952 dw20.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
fatura.exefatura.exedescription pid process target process PID 4036 wrote to memory of 4064 4036 fatura.exe fatura.exe PID 4036 wrote to memory of 4064 4036 fatura.exe fatura.exe PID 4036 wrote to memory of 4064 4036 fatura.exe fatura.exe PID 4036 wrote to memory of 3904 4036 fatura.exe fatura.exe PID 4036 wrote to memory of 3904 4036 fatura.exe fatura.exe PID 4036 wrote to memory of 3904 4036 fatura.exe fatura.exe PID 4036 wrote to memory of 4024 4036 fatura.exe fatura.exe PID 4036 wrote to memory of 4024 4036 fatura.exe fatura.exe PID 4036 wrote to memory of 4024 4036 fatura.exe fatura.exe PID 4036 wrote to memory of 4024 4036 fatura.exe fatura.exe PID 4036 wrote to memory of 4024 4036 fatura.exe fatura.exe PID 4036 wrote to memory of 4024 4036 fatura.exe fatura.exe PID 4036 wrote to memory of 4024 4036 fatura.exe fatura.exe PID 4036 wrote to memory of 4024 4036 fatura.exe fatura.exe PID 4024 wrote to memory of 3952 4024 fatura.exe dw20.exe PID 4024 wrote to memory of 3952 4024 fatura.exe dw20.exe PID 4024 wrote to memory of 3952 4024 fatura.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fatura.exe"C:\Users\Admin\AppData\Local\Temp\fatura.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fatura.exe"C:\Users\Admin\AppData\Local\Temp\fatura.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\fatura.exe"C:\Users\Admin\AppData\Local\Temp\fatura.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\fatura.exe"C:\Users\Admin\AppData\Local\Temp\fatura.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 13763⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\fatura.exe.logMD5
568e6f2b186c39075772d775e4189f57
SHA102f642cfdd1491b1ce69e81925ed336975e2f972
SHA256d29bbfbb510acd8716133feeade8f914076963ccc38abb4b5a64a8d32bac44e4
SHA512ef3b7f6d6b355c41ca9abb40d769622ea3f79787d8d2501ad5a135fa5cc78712175190386c8e05ee863a3bc046bc09eee22310555d31e4d57a4652f280283156
-
memory/3952-120-0x0000000000000000-mapping.dmp
-
memory/4024-116-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/4024-117-0x000000000044285E-mapping.dmp
-
memory/4024-119-0x0000000002920000-0x0000000002921000-memory.dmpFilesize
4KB
-
memory/4036-114-0x00000000032F0000-0x00000000032F1000-memory.dmpFilesize
4KB
-
memory/4036-115-0x00000000032F1000-0x00000000032F2000-memory.dmpFilesize
4KB