Analysis
-
max time kernel
121s -
max time network
127s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
03-12-2021 09:47
General
-
Target
20987654345678987456789.exe
-
Size
808KB
-
MD5
4e87c7097801540f52ce50ae4049ea58
-
SHA1
5dd7e8cc8bf7bcf31c5b14266c47903dfc67bb61
-
SHA256
467fc148b91e2229b4342835534e082337e14293bf346c1c17333a659abd1f0a
-
SHA512
2e2c1b77cc6dc0e6cb57899d3ed01a8a415864b9f34bb878efb9a387ad5c8e454b5f9fb6eb8d20f17bd6ec8bae152dc8f61719b8617f202949a605242cc7bdb6
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 3 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\20987654345678987456789.exe"C:\Users\Admin\AppData\Local\Temp\20987654345678987456789.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\20987654345678987456789.exe"C:\Users\Admin\AppData\Local\Temp\20987654345678987456789.exe"2⤵
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nszDAC2.tmp\kemqwaysqh.dllMD5
9e17514b192a6d53e7b7a5c5d4c7db09
SHA16d004692ba445d3d8090328f61ff285beff62c6a
SHA256a4dc0e60620c74e3dd3fa5bd27ea4954acd07fa898ef69505aab1ed9f0f6d596
SHA512106d5925215d912909ec0bd2d55c167ac1f1496c838e7018766b22040bafa33a4fed7508e90fc38c3cbe729c4193333eb561911d2b7e296ec44aafd5a2718075
-
memory/4092-119-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/4092-120-0x000000000040188B-mapping.dmp
-
memory/4092-121-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/4092-122-0x0000000002320000-0x0000000002321000-memory.dmpFilesize
4KB
-
memory/4092-124-0x0000000002322000-0x0000000002324000-memory.dmpFilesize
8KB
-
memory/4092-123-0x0000000002321000-0x0000000002322000-memory.dmpFilesize
4KB
-
memory/4092-125-0x0000000002327000-0x0000000002328000-memory.dmpFilesize
4KB
-
memory/4092-126-0x0000000002328000-0x0000000002329000-memory.dmpFilesize
4KB