Overview

overview

10

Static

static

1

2098765434...89.exe

windows7_x64

10

2098765434...89.exe

windows10_x64

10

Analysis

  • max time kernel
    121s
  • max time network
    127s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    03-12-2021 09:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20987654345678987456789.exe

  • Size

    808KB

  • MD5

    4e87c7097801540f52ce50ae4049ea58

  • SHA1

    5dd7e8cc8bf7bcf31c5b14266c47903dfc67bb61

  • SHA256

    467fc148b91e2229b4342835534e082337e14293bf346c1c17333a659abd1f0a

  • SHA512

    2e2c1b77cc6dc0e6cb57899d3ed01a8a415864b9f34bb878efb9a387ad5c8e454b5f9fb6eb8d20f17bd6ec8bae152dc8f61719b8617f202949a605242cc7bdb6

Score
10/10
snakekeyloggercollectionkeyloggerspywarestealer

Malware Config

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger Payload 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Drops desktop.ini file(s) 2 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\20987654345678987456789.exe
    "C:\Users\Admin\AppData\Local\Temp\20987654345678987456789.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3748
    • C:\Users\Admin\AppData\Local\Temp\20987654345678987456789.exe
      "C:\Users\Admin\AppData\Local\Temp\20987654345678987456789.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Drops desktop.ini file(s)
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:4092

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nszDAC2.tmp\kemqwaysqh.dll
    MD5

    9e17514b192a6d53e7b7a5c5d4c7db09

    SHA1

    6d004692ba445d3d8090328f61ff285beff62c6a

    SHA256

    a4dc0e60620c74e3dd3fa5bd27ea4954acd07fa898ef69505aab1ed9f0f6d596

    SHA512

    106d5925215d912909ec0bd2d55c167ac1f1496c838e7018766b22040bafa33a4fed7508e90fc38c3cbe729c4193333eb561911d2b7e296ec44aafd5a2718075

    Download Submit

  • memory/4092-119-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/4092-120-0x000000000040188B-mapping.dmp

    Download

  • memory/4092-121-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/4092-122-0x0000000002320000-0x0000000002321000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4092-124-0x0000000002322000-0x0000000002324000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4092-123-0x0000000002321000-0x0000000002322000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4092-125-0x0000000002327000-0x0000000002328000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4092-126-0x0000000002328000-0x0000000002329000-memory.dmp

    Filesize

    4KB

    Download