Analysis
-
max time kernel
112s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
09-12-2021 12:49
General
-
Target
pedido n. 374_12092021.exe
-
Size
1.0MB
-
MD5
8b70954fa6e6cc11abce5eb3a662854d
-
SHA1
c4e7dd66874a9950f3cf9bdba8754450171f6fcd
-
SHA256
994cc7cf468a58b8e349624496714a2c23cc97f40d7d608d66abb8a700783c1b
-
SHA512
824e998fefd826e5739db3905ce7c8a3e1afffd970bad97d65a1de063fbdd354aa4d7cf447bd96f22bfc0f75402601453f4416479b36f7fb1807416831d7f82a
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 3 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\pedido n. 374_12092021.exe"C:\Users\Admin\AppData\Local\Temp\pedido n. 374_12092021.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pedido n. 374_12092021.exe"C:\Users\Admin\AppData\Local\Temp\pedido n. 374_12092021.exe"2⤵
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsfD1E8.tmp\zosmhu.dllMD5
33a27d70110bd48bfe65c0a99e06a747
SHA161b2e7a760c4475c6b2c6d83584e2d4dea533bf0
SHA25689f3c5b465508891c5110e2ce3eacccaeaccb406c1ec176737e8975fdcb7bc82
SHA512490933b0ea5c2af795834915b601219a9aef685676d4412892053ad98adfb17430c8d40ed7f604f6e651998eb65101b6692a9666df70c2403b09220f2ae44e07
-
memory/3532-116-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/3532-117-0x000000000040188B-mapping.dmp
-
memory/3532-118-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/3532-119-0x0000000002330000-0x0000000002331000-memory.dmpFilesize
4KB
-
memory/3532-121-0x0000000002332000-0x0000000002334000-memory.dmpFilesize
8KB
-
memory/3532-120-0x0000000002331000-0x0000000002332000-memory.dmpFilesize
4KB
-
memory/3532-122-0x0000000002337000-0x0000000002338000-memory.dmpFilesize
4KB
-
memory/3532-123-0x0000000002338000-0x0000000002339000-memory.dmpFilesize
4KB