Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
03-12-2021 14:23
General
-
Target
PURCHASE ORDER.exe
-
Size
604KB
-
MD5
a6ffb00132dd3d3bd4efd4a277b2053a
-
SHA1
691f70aee58eba1ceae835f4ea123880be1e0b04
-
SHA256
fac76dce20527e0d385d72be5f7d39319b516c6d834940ec42ca270bf8fb70b6
-
SHA512
28f15e590e8b6697add3ff5f889506716fb10b7c23ae856ccfaf766fc8d34ab7eaa6afb02f09cfe8c99c78d96c2e9735513e8b1f1adce4902d137f8012f5668e
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
admin@siemens-energy.cam - Password:
antivenom
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1472-55-0x00000000009A0000-0x00000000009A1000-memory.dmpFilesize
4KB
-
memory/1472-57-0x0000000074E51000-0x0000000074E53000-memory.dmpFilesize
8KB
-
memory/1472-58-0x00000000006B0000-0x00000000006B1000-memory.dmpFilesize
4KB
-
memory/1472-59-0x0000000000890000-0x00000000008BD000-memory.dmpFilesize
180KB
-
memory/1664-60-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1664-61-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1664-62-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1664-63-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1664-64-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1664-65-0x000000000042054E-mapping.dmp
-
memory/1664-66-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1664-68-0x0000000004A10000-0x0000000004A11000-memory.dmpFilesize
4KB