Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
02-12-2021 19:23
Static task
static1
Behavioral task
behavioral1
Sample
PO-5738737272.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
PO-5738737272.exe
Resource
win10-en-20211014
General
-
Target
PO-5738737272.exe
-
Size
427KB
-
MD5
e46e4deadec5bed6fcd3b6eb3202d606
-
SHA1
a98564f3f69b65a5a031a8f8830e8d833f02a831
-
SHA256
da7d90e13ecccb70bba997e4a07c76abf774dd2309bd71982fe3479ab0ddd663
-
SHA512
5247025435db48a7a6b09dbf202bff5739415d533ba950cc38074bccbb6c192e3a6c2fa830c0243988738bfcbf3e628ae74a18b1b4c9ec6f5c7e68afbcfa2905
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.sapphireclothing.com - Port:
587 - Username:
hr@sapphireclothing.com - Password:
hrSap2018
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
PO-5738737272.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\kelly.exe\"," PO-5738737272.exe -
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
PO-5738737272.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO-5738737272.exe Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO-5738737272.exe Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO-5738737272.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 checkip.dyndns.org 11 freegeoip.app 12 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO-5738737272.exedescription pid process target process PID 1924 set thread context of 1092 1924 PO-5738737272.exe PO-5738737272.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exePO-5738737272.exePO-5738737272.exepid process 1708 powershell.exe 1508 powershell.exe 1924 PO-5738737272.exe 1924 PO-5738737272.exe 1092 PO-5738737272.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exePO-5738737272.exePO-5738737272.exedescription pid process Token: SeDebugPrivilege 1708 powershell.exe Token: SeDebugPrivilege 1508 powershell.exe Token: SeDebugPrivilege 1924 PO-5738737272.exe Token: SeDebugPrivilege 1092 PO-5738737272.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
PO-5738737272.exepowershell.exepowershell.exedescription pid process target process PID 1924 wrote to memory of 1708 1924 PO-5738737272.exe powershell.exe PID 1924 wrote to memory of 1708 1924 PO-5738737272.exe powershell.exe PID 1924 wrote to memory of 1708 1924 PO-5738737272.exe powershell.exe PID 1924 wrote to memory of 1708 1924 PO-5738737272.exe powershell.exe PID 1708 wrote to memory of 436 1708 powershell.exe PING.EXE PID 1708 wrote to memory of 436 1708 powershell.exe PING.EXE PID 1708 wrote to memory of 436 1708 powershell.exe PING.EXE PID 1708 wrote to memory of 436 1708 powershell.exe PING.EXE PID 1924 wrote to memory of 1508 1924 PO-5738737272.exe powershell.exe PID 1924 wrote to memory of 1508 1924 PO-5738737272.exe powershell.exe PID 1924 wrote to memory of 1508 1924 PO-5738737272.exe powershell.exe PID 1924 wrote to memory of 1508 1924 PO-5738737272.exe powershell.exe PID 1508 wrote to memory of 976 1508 powershell.exe PING.EXE PID 1508 wrote to memory of 976 1508 powershell.exe PING.EXE PID 1508 wrote to memory of 976 1508 powershell.exe PING.EXE PID 1508 wrote to memory of 976 1508 powershell.exe PING.EXE PID 1924 wrote to memory of 1092 1924 PO-5738737272.exe PO-5738737272.exe PID 1924 wrote to memory of 1092 1924 PO-5738737272.exe PO-5738737272.exe PID 1924 wrote to memory of 1092 1924 PO-5738737272.exe PO-5738737272.exe PID 1924 wrote to memory of 1092 1924 PO-5738737272.exe PO-5738737272.exe PID 1924 wrote to memory of 1092 1924 PO-5738737272.exe PO-5738737272.exe PID 1924 wrote to memory of 1092 1924 PO-5738737272.exe PO-5738737272.exe PID 1924 wrote to memory of 1092 1924 PO-5738737272.exe PO-5738737272.exe PID 1924 wrote to memory of 1092 1924 PO-5738737272.exe PO-5738737272.exe PID 1924 wrote to memory of 1092 1924 PO-5738737272.exe PO-5738737272.exe -
outlook_office_path 1 IoCs
Processes:
PO-5738737272.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO-5738737272.exe -
outlook_win_path 1 IoCs
Processes:
PO-5738737272.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO-5738737272.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO-5738737272.exe"C:\Users\Admin\AppData\Local\Temp\PO-5738737272.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping yahoo.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\system32\PING.EXE" yahoo.com3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping google.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\system32\PING.EXE" google.com3⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\PO-5738737272.exeC:\Users\Admin\AppData\Local\Temp\PO-5738737272.exe2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
6234237ab00d79069cbaff7d69b016bf
SHA1b778289334b89974eecf121aaf546c6a99b3baa6
SHA256b731c15643c888b3de58486beae90a3ea36f7244f534a4036b472d30766ebd38
SHA512e521bcf85420a37465633461fbd72c8489131d8bd0abe947bd652364039d79e7b1461b5bf0501e180572d78c9e3b1ab9c7df8c60c1c648f6a21e33a1f1f0293b
-
memory/436-64-0x0000000000000000-mapping.dmp
-
memory/976-71-0x0000000000000000-mapping.dmp
-
memory/1092-83-0x0000000002220000-0x0000000002221000-memory.dmpFilesize
4KB
-
memory/1092-81-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1092-79-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1092-80-0x000000000042052E-mapping.dmp
-
memory/1092-77-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1092-78-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1092-76-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1092-75-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1508-70-0x0000000002242000-0x0000000002244000-memory.dmpFilesize
8KB
-
memory/1508-68-0x0000000002240000-0x0000000002241000-memory.dmpFilesize
4KB
-
memory/1508-69-0x0000000002241000-0x0000000002242000-memory.dmpFilesize
4KB
-
memory/1508-65-0x0000000000000000-mapping.dmp
-
memory/1708-61-0x0000000002450000-0x000000000309A000-memory.dmpFilesize
12.3MB
-
memory/1708-63-0x0000000002450000-0x000000000309A000-memory.dmpFilesize
12.3MB
-
memory/1708-62-0x0000000002450000-0x000000000309A000-memory.dmpFilesize
12.3MB
-
memory/1708-59-0x0000000000000000-mapping.dmp
-
memory/1924-74-0x0000000004330000-0x0000000004349000-memory.dmpFilesize
100KB
-
memory/1924-73-0x0000000004905000-0x0000000004916000-memory.dmpFilesize
68KB
-
memory/1924-72-0x0000000005A10000-0x0000000005A6C000-memory.dmpFilesize
368KB
-
memory/1924-55-0x0000000000BB0000-0x0000000000BB1000-memory.dmpFilesize
4KB
-
memory/1924-58-0x0000000004900000-0x0000000004901000-memory.dmpFilesize
4KB
-
memory/1924-57-0x0000000076351000-0x0000000076353000-memory.dmpFilesize
8KB