Analysis

  • max time kernel
    106s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    31-01-2022 17:53

General

  • Target

    proforma invoice.exe

  • Size

    486KB

  • MD5

    9c6c327f42df226c0c09561218bb5119

  • SHA1

    2dc652211fdb2b9d0690e6a1d2f692a0c04af2bc

  • SHA256

    aaa1238cff25c9609f089d345d805e5ea580e9e9cddfcdd640e446d0dfa3ad27

  • SHA512

    70449ac67b625f207a33f1231dca0636c5a9f2837d1d8492ddff394d28f301aa79581fb559502b4d908ad3598f8925e491b3f465de467893c195c7ee44a9f4db

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.faks-allied-health.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    $Faks1234

Extracted

Family

snakekeylogger

Credentials

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

  • Snake Keylogger Payload 1 IoCs
  • Sets service image path in registry 2 TTPs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
    "C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:664
    • C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
      "C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:3512
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
    1⤵
      PID:3496
    • C:\Windows\System32\WaaSMedicAgent.exe
      C:\Windows\System32\WaaSMedicAgent.exe 308dbc42c73fc8e2493cdef1505af6a0 Z0ba7Q1OAEyu1wgVw9aMDg.0.1.0.0.0
      1⤵
      • Modifies data under HKEY_USERS
      PID:3444

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/664-130-0x0000000000DB0000-0x0000000000E30000-memory.dmp

      Filesize

      512KB

    • memory/664-131-0x0000000005DE0000-0x0000000006384000-memory.dmp

      Filesize

      5.6MB

    • memory/664-132-0x0000000005830000-0x00000000058C2000-memory.dmp

      Filesize

      584KB

    • memory/664-133-0x0000000005830000-0x0000000005DD4000-memory.dmp

      Filesize

      5.6MB

    • memory/664-134-0x00000000057D0000-0x00000000057DA000-memory.dmp

      Filesize

      40KB

    • memory/664-135-0x0000000007B30000-0x0000000007BCC000-memory.dmp

      Filesize

      624KB

    • memory/3512-136-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

    • memory/3512-137-0x0000000005500000-0x0000000005AA4000-memory.dmp

      Filesize

      5.6MB

    • memory/3512-138-0x0000000006B30000-0x0000000006CF2000-memory.dmp

      Filesize

      1.8MB