Analysis

  • max time kernel
    121s
  • max time network
    127s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    03-12-2021 09:47

General

  • Target

    20987654345678987456789.exe

  • Size

    808KB

  • MD5

    4e87c7097801540f52ce50ae4049ea58

  • SHA1

    5dd7e8cc8bf7bcf31c5b14266c47903dfc67bb61

  • SHA256

    467fc148b91e2229b4342835534e082337e14293bf346c1c17333a659abd1f0a

  • SHA512

    2e2c1b77cc6dc0e6cb57899d3ed01a8a415864b9f34bb878efb9a387ad5c8e454b5f9fb6eb8d20f17bd6ec8bae152dc8f61719b8617f202949a605242cc7bdb6

Malware Config

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

  • Snake Keylogger Payload 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\20987654345678987456789.exe
    "C:\Users\Admin\AppData\Local\Temp\20987654345678987456789.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3748
    • C:\Users\Admin\AppData\Local\Temp\20987654345678987456789.exe
      "C:\Users\Admin\AppData\Local\Temp\20987654345678987456789.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Drops desktop.ini file(s)
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:4092

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4092-119-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/4092-121-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/4092-122-0x0000000002320000-0x0000000002321000-memory.dmp

    Filesize

    4KB

  • memory/4092-124-0x0000000002322000-0x0000000002324000-memory.dmp

    Filesize

    8KB

  • memory/4092-123-0x0000000002321000-0x0000000002322000-memory.dmp

    Filesize

    4KB

  • memory/4092-125-0x0000000002327000-0x0000000002328000-memory.dmp

    Filesize

    4KB

  • memory/4092-126-0x0000000002328000-0x0000000002329000-memory.dmp

    Filesize

    4KB