Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
01-12-2021 12:36
Static task
static1
Behavioral task
behavioral1
Sample
accounts...exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
accounts...exe
Resource
win10-en-20211104
General
-
Target
accounts...exe
-
Size
556KB
-
MD5
089ce20083a06cdf98f86957a5e8a038
-
SHA1
89a4ea2ed4f29fafa40fcfbc147250d3cf50ae65
-
SHA256
d3340130a8b237e60fb9f0556a261711cd437fde5fc9a1873a750ad4e7fbf057
-
SHA512
61b40fd7860c8f7ff921f3106e03f83b7904fce2c57b30edaba53f902fc89ababf757059ce16635df56b96ead71039aba5e7aba51f11c14680fb0006ea5cf895
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.greentrading.com.pk - Port:
26 - Username:
info@greentrading.com.pk - Password:
lovetoall
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/584-57-0x0000000000400000-0x0000000000477000-memory.dmp family_snakekeylogger behavioral1/memory/584-58-0x000000000040188B-mapping.dmp family_snakekeylogger behavioral1/memory/584-60-0x00000000044D0000-0x0000000004532000-memory.dmp family_snakekeylogger behavioral1/memory/584-62-0x0000000000400000-0x0000000000477000-memory.dmp family_snakekeylogger -
Loads dropped DLL 1 IoCs
Processes:
accounts...exepid process 1452 accounts...exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 freegeoip.app 10 freegeoip.app 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
accounts...exedescription pid process target process PID 1452 set thread context of 584 1452 accounts...exe accounts...exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
accounts...exepid process 584 accounts...exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
accounts...exedescription pid process Token: SeDebugPrivilege 584 accounts...exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
accounts...exedescription pid process target process PID 1452 wrote to memory of 584 1452 accounts...exe accounts...exe PID 1452 wrote to memory of 584 1452 accounts...exe accounts...exe PID 1452 wrote to memory of 584 1452 accounts...exe accounts...exe PID 1452 wrote to memory of 584 1452 accounts...exe accounts...exe PID 1452 wrote to memory of 584 1452 accounts...exe accounts...exe PID 1452 wrote to memory of 584 1452 accounts...exe accounts...exe PID 1452 wrote to memory of 584 1452 accounts...exe accounts...exe PID 1452 wrote to memory of 584 1452 accounts...exe accounts...exe PID 1452 wrote to memory of 584 1452 accounts...exe accounts...exe PID 1452 wrote to memory of 584 1452 accounts...exe accounts...exe PID 1452 wrote to memory of 584 1452 accounts...exe accounts...exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\accounts...exe"C:\Users\Admin\AppData\Local\Temp\accounts...exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\accounts...exe"C:\Users\Admin\AppData\Local\Temp\accounts...exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsdC794.tmp\dybyhktmw.dllMD5
f49aa90c71d3513d37fd09ca3e403a0a
SHA1188741b036ca643ea75064d52b2601af7a7b9f4a
SHA2563eedeac7bfc5e6425b45c47ed622c4306f957e992ad42023fa92f4ce55909f5a
SHA512a7c4a7872406ef4bf650377556ae5e1754000153fd0d216ce4e19891902c16af3d3b2ce65665b58cdb344aa2e0e0857ec4211a0504d2f920bc22d738130615cf
-
memory/584-57-0x0000000000400000-0x0000000000477000-memory.dmpFilesize
476KB
-
memory/584-58-0x000000000040188B-mapping.dmp
-
memory/584-60-0x00000000044D0000-0x0000000004532000-memory.dmpFilesize
392KB
-
memory/584-63-0x0000000002051000-0x0000000002052000-memory.dmpFilesize
4KB
-
memory/584-62-0x0000000000400000-0x0000000000477000-memory.dmpFilesize
476KB
-
memory/584-64-0x0000000002052000-0x0000000002053000-memory.dmpFilesize
4KB
-
memory/584-65-0x0000000002053000-0x0000000002054000-memory.dmpFilesize
4KB
-
memory/584-66-0x0000000002054000-0x0000000002055000-memory.dmpFilesize
4KB
-
memory/1452-55-0x0000000075141000-0x0000000075143000-memory.dmpFilesize
8KB