Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
20-10-2021 03:54
Static task
static1
Behavioral task
behavioral1
Sample
Q-700004637 1004913.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Q-700004637 1004913.exe
Resource
win10-en-20211014
General
-
Target
Q-700004637 1004913.exe
-
Size
22KB
-
MD5
75b7a294df955b78f7adf5882e600273
-
SHA1
df8f94ca5d228dcbda81efd0f8a0f37ff5ffa459
-
SHA256
d3c93ce13c0f0a8dd07512cb0cf5ca7474983e15e136022cd98c4ab9b6063bd4
-
SHA512
7b4c28d71348e798f3ddc7084767424754556a02a436b91e7516408b75031df32b4ba08fc60d658aeb381538c89bdf867373127ef29f6b03ec1ece56cf2e6da6
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.faks-allied-health.com - Port:
587 - Username:
[email protected] - Password:
$Faks1234
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Q-700004637 1004913.exedescription pid process target process PID 2052 set thread context of 1460 2052 Q-700004637 1004913.exe Q-700004637 1004913.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4060 1460 WerFault.exe Q-700004637 1004913.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
Q-700004637 1004913.exeQ-700004637 1004913.exeWerFault.exepid process 2052 Q-700004637 1004913.exe 2052 Q-700004637 1004913.exe 1460 Q-700004637 1004913.exe 4060 WerFault.exe 4060 WerFault.exe 4060 WerFault.exe 4060 WerFault.exe 4060 WerFault.exe 4060 WerFault.exe 4060 WerFault.exe 4060 WerFault.exe 4060 WerFault.exe 4060 WerFault.exe 4060 WerFault.exe 4060 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Q-700004637 1004913.exeQ-700004637 1004913.exeWerFault.exedescription pid process Token: SeDebugPrivilege 2052 Q-700004637 1004913.exe Token: SeDebugPrivilege 1460 Q-700004637 1004913.exe Token: SeRestorePrivilege 4060 WerFault.exe Token: SeBackupPrivilege 4060 WerFault.exe Token: SeDebugPrivilege 4060 WerFault.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Q-700004637 1004913.exedescription pid process target process PID 2052 wrote to memory of 1460 2052 Q-700004637 1004913.exe Q-700004637 1004913.exe PID 2052 wrote to memory of 1460 2052 Q-700004637 1004913.exe Q-700004637 1004913.exe PID 2052 wrote to memory of 1460 2052 Q-700004637 1004913.exe Q-700004637 1004913.exe PID 2052 wrote to memory of 1460 2052 Q-700004637 1004913.exe Q-700004637 1004913.exe PID 2052 wrote to memory of 1460 2052 Q-700004637 1004913.exe Q-700004637 1004913.exe PID 2052 wrote to memory of 1460 2052 Q-700004637 1004913.exe Q-700004637 1004913.exe PID 2052 wrote to memory of 1460 2052 Q-700004637 1004913.exe Q-700004637 1004913.exe PID 2052 wrote to memory of 1460 2052 Q-700004637 1004913.exe Q-700004637 1004913.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Q-700004637 1004913.exe"C:\Users\Admin\AppData\Local\Temp\Q-700004637 1004913.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Q-700004637 1004913.exe"C:\Users\Admin\AppData\Local\Temp\Q-700004637 1004913.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 14843⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Q-700004637 1004913.exe.logMD5
808e884c00533a9eb0e13e64960d9c3a
SHA1279d05181fc6179a12df1a669ff5d8b64c1380ae
SHA2562f6a0aab99b1c228a6642f44f8992646ce84c5a2b3b9941b6cf1f2badf67bdd6
SHA5129489bdb2ffdfeef3c52edcfe9b34c6688eba53eb86075e0564df1cd474723c86b5b5aedc12df1ff5fc12cf97bd1e3cf9701ff61dc4ce90155d70e9ccfd0fc299
-
memory/1460-120-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1460-121-0x00000000004203DE-mapping.dmp
-
memory/1460-125-0x00000000052B0000-0x00000000052B1000-memory.dmpFilesize
4KB
-
memory/1460-126-0x0000000004CE0000-0x0000000004CE1000-memory.dmpFilesize
4KB
-
memory/1460-127-0x0000000004DB0000-0x00000000052AE000-memory.dmpFilesize
5.0MB
-
memory/2052-115-0x00000000005F0000-0x00000000005F1000-memory.dmpFilesize
4KB
-
memory/2052-117-0x00000000051B0000-0x00000000051B1000-memory.dmpFilesize
4KB
-
memory/2052-118-0x0000000005B00000-0x0000000005B3F000-memory.dmpFilesize
252KB
-
memory/2052-119-0x0000000005190000-0x00000000051A8000-memory.dmpFilesize
96KB