Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
03-12-2021 09:47
Static task
static1
Behavioral task
behavioral1
Sample
2345678098765T4323456789G.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
2345678098765T4323456789G.exe
Resource
win10-en-20211014
General
-
Target
2345678098765T4323456789G.exe
-
Size
396KB
-
MD5
7091684f6d958d8bbb0ae72d30ef3f93
-
SHA1
946ab60d8020ed0209f2fc5237020ed74e2bf2f8
-
SHA256
7bbfbb37c39b9f86adc6fda345c835cb256948cdc886b273c3215e4ccbbd877a
-
SHA512
d9374aff01b656fd92c6e44e095ed958be11c07b84a2d65f569ee278960571ac2ab3f1f7960113b8438b69945274e1e6d888a07646d528136102b6aad8979ae8
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
serv3.devmexico.com - Port:
587 - Username:
reservaciones@hoteljuaninos.com.mx - Password:
3}l^pI#_4K_!
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Loads dropped DLL 1 IoCs
Processes:
2345678098765T4323456789G.exepid process 2664 2345678098765T4323456789G.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
2345678098765T4323456789G.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2345678098765T4323456789G.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2345678098765T4323456789G.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2345678098765T4323456789G.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 freegeoip.app 7 checkip.dyndns.org 10 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2345678098765T4323456789G.exedescription pid process target process PID 2664 set thread context of 1060 2664 2345678098765T4323456789G.exe 2345678098765T4323456789G.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
2345678098765T4323456789G.exepid process 1060 2345678098765T4323456789G.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2345678098765T4323456789G.exedescription pid process Token: SeDebugPrivilege 1060 2345678098765T4323456789G.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
2345678098765T4323456789G.exedescription pid process target process PID 2664 wrote to memory of 1060 2664 2345678098765T4323456789G.exe 2345678098765T4323456789G.exe PID 2664 wrote to memory of 1060 2664 2345678098765T4323456789G.exe 2345678098765T4323456789G.exe PID 2664 wrote to memory of 1060 2664 2345678098765T4323456789G.exe 2345678098765T4323456789G.exe PID 2664 wrote to memory of 1060 2664 2345678098765T4323456789G.exe 2345678098765T4323456789G.exe PID 2664 wrote to memory of 1060 2664 2345678098765T4323456789G.exe 2345678098765T4323456789G.exe PID 2664 wrote to memory of 1060 2664 2345678098765T4323456789G.exe 2345678098765T4323456789G.exe PID 2664 wrote to memory of 1060 2664 2345678098765T4323456789G.exe 2345678098765T4323456789G.exe PID 2664 wrote to memory of 1060 2664 2345678098765T4323456789G.exe 2345678098765T4323456789G.exe PID 2664 wrote to memory of 1060 2664 2345678098765T4323456789G.exe 2345678098765T4323456789G.exe PID 2664 wrote to memory of 1060 2664 2345678098765T4323456789G.exe 2345678098765T4323456789G.exe -
outlook_office_path 1 IoCs
Processes:
2345678098765T4323456789G.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2345678098765T4323456789G.exe -
outlook_win_path 1 IoCs
Processes:
2345678098765T4323456789G.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2345678098765T4323456789G.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2345678098765T4323456789G.exe"C:\Users\Admin\AppData\Local\Temp\2345678098765T4323456789G.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2345678098765T4323456789G.exe"C:\Users\Admin\AppData\Local\Temp\2345678098765T4323456789G.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nssA5D.tmp\cewfabb.dllMD5
f8a026d82d5489d52431bd31696dd1a4
SHA120fcdfa194e2ad296af96ff2858ba8b00e08f0f3
SHA256528093f58dfce70f6a41064ae7426fb4fbd5c19bd00af72d1ecdd788f0b1d753
SHA51286eae47e8094b1c4fb24eaa9f1e223c54a9d69cffb2db3f16f49c3a980ad75990b23eadee75636777671227b893b4cbf5aa8b1e13d9e6d5a981f3831f0ded584
-
memory/1060-116-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1060-117-0x000000000040188B-mapping.dmp
-
memory/1060-118-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1060-119-0x0000000002340000-0x0000000002376000-memory.dmpFilesize
216KB
-
memory/1060-122-0x0000000002392000-0x0000000002393000-memory.dmpFilesize
4KB
-
memory/1060-121-0x0000000002390000-0x0000000002391000-memory.dmpFilesize
4KB
-
memory/1060-123-0x0000000002393000-0x0000000002394000-memory.dmpFilesize
4KB
-
memory/1060-124-0x0000000004850000-0x0000000004851000-memory.dmpFilesize
4KB
-
memory/1060-125-0x0000000004D90000-0x0000000004D91000-memory.dmpFilesize
4KB
-
memory/1060-126-0x0000000002394000-0x0000000002395000-memory.dmpFilesize
4KB
-
memory/1060-127-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/1060-128-0x0000000005C30000-0x0000000005C31000-memory.dmpFilesize
4KB
-
memory/1060-129-0x0000000005D20000-0x0000000005D21000-memory.dmpFilesize
4KB