Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
02-12-2021 08:50
Static task
static1
Behavioral task
behavioral1
Sample
209876543456789000098.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
209876543456789000098.exe
Resource
win10-en-20211014
General
-
Target
209876543456789000098.exe
-
Size
793KB
-
MD5
70ce5952a189b5eb3b5a67170981fb93
-
SHA1
ff3197ef1584ead3e7c2a39c1ac50591f8b2412f
-
SHA256
a1183aa0c74ad8ad4cd678ba674d3ca9cb88c325bf4a585521d1d2fef6769dd1
-
SHA512
7a9d78c3efb3f484f25d0064920cf02e653820a9a968a6cb09900668817b3bdecff94e3ea38328aceb98f1f758a6e1cd6c125d6c0dbb49ee47cf2ff10dbda175
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1268-57-0x0000000000400000-0x000000000048B000-memory.dmp family_snakekeylogger behavioral1/memory/1268-58-0x000000000040188B-mapping.dmp family_snakekeylogger behavioral1/memory/1268-60-0x0000000000400000-0x000000000048B000-memory.dmp family_snakekeylogger -
Loads dropped DLL 1 IoCs
Processes:
209876543456789000098.exepid process 572 209876543456789000098.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
209876543456789000098.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 209876543456789000098.exe Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 209876543456789000098.exe Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 209876543456789000098.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org 6 freegeoip.app 7 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
209876543456789000098.exedescription pid process target process PID 572 set thread context of 1268 572 209876543456789000098.exe 209876543456789000098.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
209876543456789000098.exepid process 1268 209876543456789000098.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
209876543456789000098.exedescription pid process Token: SeDebugPrivilege 1268 209876543456789000098.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
209876543456789000098.exedescription pid process target process PID 572 wrote to memory of 1268 572 209876543456789000098.exe 209876543456789000098.exe PID 572 wrote to memory of 1268 572 209876543456789000098.exe 209876543456789000098.exe PID 572 wrote to memory of 1268 572 209876543456789000098.exe 209876543456789000098.exe PID 572 wrote to memory of 1268 572 209876543456789000098.exe 209876543456789000098.exe PID 572 wrote to memory of 1268 572 209876543456789000098.exe 209876543456789000098.exe PID 572 wrote to memory of 1268 572 209876543456789000098.exe 209876543456789000098.exe PID 572 wrote to memory of 1268 572 209876543456789000098.exe 209876543456789000098.exe PID 572 wrote to memory of 1268 572 209876543456789000098.exe 209876543456789000098.exe PID 572 wrote to memory of 1268 572 209876543456789000098.exe 209876543456789000098.exe PID 572 wrote to memory of 1268 572 209876543456789000098.exe 209876543456789000098.exe PID 572 wrote to memory of 1268 572 209876543456789000098.exe 209876543456789000098.exe -
outlook_office_path 1 IoCs
Processes:
209876543456789000098.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 209876543456789000098.exe -
outlook_win_path 1 IoCs
Processes:
209876543456789000098.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 209876543456789000098.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\209876543456789000098.exe"C:\Users\Admin\AppData\Local\Temp\209876543456789000098.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Users\Admin\AppData\Local\Temp\209876543456789000098.exe"C:\Users\Admin\AppData\Local\Temp\209876543456789000098.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1268
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
38315ac552c55973b0afc343a8411c56
SHA1906248270e5822af3ba11dd177092d361fd48725
SHA25694ab25e60d15406eec7e07e214ec6cabfcec08d00f838e9698130100f95e9faa
SHA512548e0f4fa208bca0d0ef427c955fd26971fa0140f83c365785c6461a8b51fdf942df634e67b813f8ff1f709e89b4cf17e71d07af316fdf6a236060206a15ae47