Overview

overview

10

Static

static

PO-5738737272.exe

windows7_x64

10

PO-5738737272.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    03-12-2021 16:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO-5738737272.exe

  • Size

    427KB

  • MD5

    e46e4deadec5bed6fcd3b6eb3202d606

  • SHA1

    a98564f3f69b65a5a031a8f8830e8d833f02a831

  • SHA256

    da7d90e13ecccb70bba997e4a07c76abf774dd2309bd71982fe3479ab0ddd663

  • SHA512

    5247025435db48a7a6b09dbf202bff5739415d533ba950cc38074bccbb6c192e3a6c2fa830c0243988738bfcbf3e628ae74a18b1b4c9ec6f5c7e68afbcfa2905

Score
10/10
snakekeyloggercollectionkeyloggerpersistencespywarestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    mail.sapphireclothing.com
  • Port:
    587
  • Username:
    hr@sapphireclothing.com
  • Password:
    hrSap2018

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO-5738737272.exe
    "C:\Users\Admin\AppData\Local\Temp\PO-5738737272.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3716
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping yahoo.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1304
      • C:\Windows\SysWOW64\PING.EXE
        "C:\Windows\system32\PING.EXE" yahoo.com
        3⤵
        • Runs ping.exe
        PID:3976
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3568
      • C:\Windows\SysWOW64\PING.EXE
        "C:\Windows\system32\PING.EXE" google.com
        3⤵
        • Runs ping.exe
        PID:3672
    • C:\Users\Admin\AppData\Local\Temp\PO-5738737272.exe
      C:\Users\Admin\AppData\Local\Temp\PO-5738737272.exe
      2⤵
        PID:1700
      • C:\Users\Admin\AppData\Local\Temp\PO-5738737272.exe
        C:\Users\Admin\AppData\Local\Temp\PO-5738737272.exe
        2⤵
          PID:1752
        • C:\Users\Admin\AppData\Local\Temp\PO-5738737272.exe
          C:\Users\Admin\AppData\Local\Temp\PO-5738737272.exe
          2⤵
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:1744

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Winlogon Helper DLL

      1
      T1004

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Credentials in Files

      3
      T1081

      Discovery

      System Information Discovery

      1
      T1082

      Remote System Discovery

      1
      T1018

      Lateral Movement

      Collection

      Data from Local System

      3
      T1005

      Email Collection

      1
      T1114

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO-5738737272.exe.log
        MD5

        1755d02418241b16d29f6f19bb49952e

        SHA1

        55a2a978b98c43820f21a8b7597515d804e43d2c

        SHA256

        ebeb444cf2bd1945e7be508cc782963cf8cf9cedb1680a776f41eb0bf763a561

        SHA512

        6cd5449f39199e276ea335af0721384ba18009932c8eed5a36e43f1e08b0890291fb9d033aee8c6e8c88899a44504cb222404137ea6b0d847a49a14971f47c75

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        MD5

        0f5cbdca905beb13bebdcf43fb0716bd

        SHA1

        9e136131389fde83297267faf6c651d420671b3f

        SHA256

        a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060

        SHA512

        a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        MD5

        223b638127d016588d4528856a993b72

        SHA1

        2d3345c98fb3f18a60de2db6bd1f377645aac409

        SHA256

        2e97aa75adee5751fdfed5e2026cc9fe239f6100b9b97c21c97c4caeabaeef85

        SHA512

        56b2318de779c102cf396a0da4e1cc661f5fca9a35086da5b14616ab375dfb3372b3d9e4be067414b40baeafcfe04961a280ff2b6b4ccaceb06271052b69d3c9

        Download Submit
      • memory/1304-143-0x00000000067B3000-0x00000000067B4000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1304-139-0x0000000000BB0000-0x0000000000BB1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1304-124-0x0000000000BB0000-0x0000000000BB1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1304-125-0x0000000000BB0000-0x0000000000BB1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1304-126-0x0000000000CD0000-0x0000000000CD1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1304-127-0x0000000006DF0000-0x0000000006DF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1304-129-0x00000000067B0000-0x00000000067B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1304-144-0x00000000067B4000-0x00000000067B6000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1304-130-0x00000000067B2000-0x00000000067B3000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1304-131-0x0000000006AA0000-0x0000000006AA1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1304-132-0x0000000006C40000-0x0000000006C41000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1304-133-0x0000000006D30000-0x0000000006D31000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1304-123-0x0000000000000000-mapping.dmp
        Download
      • memory/1304-135-0x0000000006DC0000-0x0000000006DC1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1304-136-0x0000000007C80000-0x0000000007C81000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1304-137-0x0000000007D50000-0x0000000007D51000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1304-134-0x0000000007660000-0x0000000007661000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1744-175-0x00000000060E0000-0x00000000060E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1744-166-0x0000000000400000-0x0000000000426000-memory.dmp
        Filesize

        152KB

        Download
      • memory/1744-172-0x0000000004D60000-0x0000000004D61000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1744-173-0x0000000004E50000-0x000000000534E000-memory.dmp
        Filesize

        5.0MB

        Download
      • memory/1744-167-0x000000000042052E-mapping.dmp
        Download
      • memory/3568-142-0x00000000032D0000-0x00000000032D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3568-145-0x00000000032D0000-0x00000000032D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3568-151-0x00000000081C0000-0x00000000081C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3568-162-0x00000000070C3000-0x00000000070C4000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3568-154-0x0000000008870000-0x0000000008871000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3568-156-0x00000000070C0000-0x00000000070C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3568-157-0x00000000070C2000-0x00000000070C3000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3568-159-0x00000000032D0000-0x00000000032D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3568-140-0x0000000000000000-mapping.dmp
        Download
      • memory/3568-163-0x00000000070C4000-0x00000000070C6000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3672-158-0x0000000000000000-mapping.dmp
        Download
      • memory/3716-128-0x0000000005700000-0x0000000005701000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3716-164-0x0000000005703000-0x0000000005705000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3716-165-0x0000000007330000-0x0000000007349000-memory.dmp
        Filesize

        100KB

        Download
      • memory/3716-160-0x0000000007290000-0x00000000072EC000-memory.dmp
        Filesize

        368KB

        Download
      • memory/3716-121-0x00000000057C0000-0x00000000057C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3716-120-0x0000000005C20000-0x0000000005C21000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3716-118-0x0000000000E80000-0x0000000000E81000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3716-122-0x0000000005730000-0x0000000005731000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3976-138-0x0000000000000000-mapping.dmp
        Download