Analysis
-
max time kernel
110s -
max time network
118s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
03-12-2021 14:23
General
-
Target
PURCHASE ORDER.exe
-
Size
604KB
-
MD5
a6ffb00132dd3d3bd4efd4a277b2053a
-
SHA1
691f70aee58eba1ceae835f4ea123880be1e0b04
-
SHA256
fac76dce20527e0d385d72be5f7d39319b516c6d834940ec42ca270bf8fb70b6
-
SHA512
28f15e590e8b6697add3ff5f889506716fb10b7c23ae856ccfaf766fc8d34ab7eaa6afb02f09cfe8c99c78d96c2e9735513e8b1f1adce4902d137f8012f5668e
Score
10/10
Malware Config
Extracted
Family
snakekeylogger
Credentials
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
admin@siemens-energy.cam - Password:
antivenom
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 10962⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2776-115-0x0000000000A60000-0x0000000000A61000-memory.dmpFilesize
4KB
-
memory/2776-117-0x0000000005430000-0x0000000005431000-memory.dmpFilesize
4KB
-
memory/2776-118-0x0000000005540000-0x0000000005541000-memory.dmpFilesize
4KB
-
memory/2776-119-0x0000000001520000-0x000000000154D000-memory.dmpFilesize
180KB
-
memory/2776-120-0x0000000006B80000-0x0000000006B81000-memory.dmpFilesize
4KB
-
memory/3504-121-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/3504-122-0x000000000042054E-mapping.dmp
-
memory/3504-127-0x0000000004EF0000-0x00000000053EE000-memory.dmpFilesize
5.0MB
-
memory/3504-128-0x0000000006240000-0x0000000006241000-memory.dmpFilesize
4KB
-
memory/3504-129-0x0000000006110000-0x0000000006111000-memory.dmpFilesize
4KB
-
memory/3504-130-0x00000000060A0000-0x00000000060A1000-memory.dmpFilesize
4KB