Overview

overview

10

Static

static

PO-5738737272.exe

windows7_x64

10

PO-5738737272.exe

windows10_x64

10

Analysis

  • max time kernel
    128s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    02-12-2021 19:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO-5738737272.exe

  • Size

    427KB

  • MD5

    e46e4deadec5bed6fcd3b6eb3202d606

  • SHA1

    a98564f3f69b65a5a031a8f8830e8d833f02a831

  • SHA256

    da7d90e13ecccb70bba997e4a07c76abf774dd2309bd71982fe3479ab0ddd663

  • SHA512

    5247025435db48a7a6b09dbf202bff5739415d533ba950cc38074bccbb6c192e3a6c2fa830c0243988738bfcbf3e628ae74a18b1b4c9ec6f5c7e68afbcfa2905

Score
10/10
snakekeyloggercollectionkeyloggerpersistencespywarestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    mail.sapphireclothing.com
  • Port:
    587
  • Username:
    hr@sapphireclothing.com
  • Password:
    hrSap2018

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO-5738737272.exe
    "C:\Users\Admin\AppData\Local\Temp\PO-5738737272.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3168
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping yahoo.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3160
      • C:\Windows\SysWOW64\PING.EXE
        "C:\Windows\system32\PING.EXE" yahoo.com
        3⤵
        • Runs ping.exe
        PID:2188
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3840
      • C:\Windows\SysWOW64\PING.EXE
        "C:\Windows\system32\PING.EXE" google.com
        3⤵
        • Runs ping.exe
        PID:2844
    • C:\Users\Admin\AppData\Local\Temp\PO-5738737272.exe
      C:\Users\Admin\AppData\Local\Temp\PO-5738737272.exe
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:1996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO-5738737272.exe.log
    MD5

    1755d02418241b16d29f6f19bb49952e

    SHA1

    55a2a978b98c43820f21a8b7597515d804e43d2c

    SHA256

    ebeb444cf2bd1945e7be508cc782963cf8cf9cedb1680a776f41eb0bf763a561

    SHA512

    6cd5449f39199e276ea335af0721384ba18009932c8eed5a36e43f1e08b0890291fb9d033aee8c6e8c88899a44504cb222404137ea6b0d847a49a14971f47c75

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    MD5

    0f5cbdca905beb13bebdcf43fb0716bd

    SHA1

    9e136131389fde83297267faf6c651d420671b3f

    SHA256

    a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060

    SHA512

    a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    795ce6e8ca58af1cce2a3e8fae02f6af

    SHA1

    42fdb10e3ff53bf63a8619dc28afbeca5f0439c6

    SHA256

    530c940784a308df149a20ae4fecfe7a53acc927adc0d5220eafe390b6228ee5

    SHA512

    0655bfad8e1a335630071f3e180e25db091181af2f88dcb8608f993fa49cdef113df26323e4ee549e73a52c1634f07c22ec6a1e6e54e770f3dbd4eed8ade7857

    Download Submit
  • memory/1996-172-0x0000000004930000-0x0000000004E2E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1996-171-0x0000000005BC0000-0x0000000005BC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1996-169-0x00000000049D0000-0x00000000049D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1996-164-0x000000000042052E-mapping.dmp
    Download
  • memory/1996-163-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/2188-135-0x0000000000000000-mapping.dmp
    Download
  • memory/2844-155-0x0000000000000000-mapping.dmp
    Download
  • memory/3160-126-0x0000000007570000-0x0000000007571000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3160-121-0x0000000000000000-mapping.dmp
    Download
  • memory/3160-127-0x0000000004C40000-0x0000000004C41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3160-128-0x0000000007D90000-0x0000000007D91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3160-130-0x0000000007E00000-0x0000000007E01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3160-131-0x0000000007FE0000-0x0000000007FE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3160-132-0x0000000007EC0000-0x0000000007EC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3160-133-0x0000000008A00000-0x0000000008A01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3160-134-0x00000000086B0000-0x00000000086B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3160-124-0x0000000004C00000-0x0000000004C01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3160-136-0x00000000031D0000-0x00000000031D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3160-122-0x00000000031D0000-0x00000000031D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3160-129-0x0000000004C42000-0x0000000004C43000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3160-125-0x00000000075F0000-0x00000000075F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3160-123-0x00000000031D0000-0x00000000031D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3160-143-0x0000000004C43000-0x0000000004C44000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3160-144-0x0000000004C44000-0x0000000004C46000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3168-161-0x00000000056E3000-0x00000000056E5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3168-162-0x0000000007FC0000-0x0000000007FD9000-memory.dmp
    Filesize

    100KB

    Download
  • memory/3168-117-0x0000000005C30000-0x0000000005C31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3168-118-0x0000000005730000-0x0000000005731000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3168-119-0x00000000056E0000-0x00000000056E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3168-157-0x0000000007A30000-0x0000000007A8C000-memory.dmp
    Filesize

    368KB

    Download
  • memory/3168-120-0x0000000005710000-0x0000000005711000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3168-115-0x0000000000DB0000-0x0000000000DB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3840-159-0x00000000048F3000-0x00000000048F4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3840-139-0x0000000002E10000-0x0000000002E11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3840-137-0x0000000000000000-mapping.dmp
    Download
  • memory/3840-146-0x00000000048F2000-0x00000000048F3000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3840-160-0x00000000048F4000-0x00000000048F6000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3840-156-0x0000000002E10000-0x0000000002E11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3840-140-0x0000000002E10000-0x0000000002E11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3840-145-0x00000000048F0000-0x00000000048F1000-memory.dmp
    Filesize

    4KB

    Download