Analysis

  • max time kernel
    112s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 07:56

General

  • Target

    32e3f433b732245bcd8a27d204a770fc82d70010f3cb1549dc91f04d24849941.exe

  • Size

    229KB

  • MD5

    773aeb8b7d2c978f5e6827e3156a5115

  • SHA1

    5cf948bc30bca89a8b32ed38c5c723cca13fa196

  • SHA256

    32e3f433b732245bcd8a27d204a770fc82d70010f3cb1549dc91f04d24849941

  • SHA512

    5b76cc3802f7809bbb389048358bb0374273406492445c75abe301342ba9b7833f613073e7c5eda4e1d249b947822d6ffdba10735685ff0825055cd2b4a8b376

Malware Config

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

  • Snake Keylogger Payload 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\32e3f433b732245bcd8a27d204a770fc82d70010f3cb1549dc91f04d24849941.exe
    "C:\Users\Admin\AppData\Local\Temp\32e3f433b732245bcd8a27d204a770fc82d70010f3cb1549dc91f04d24849941.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3472
    • C:\Users\Admin\AppData\Local\Temp\xgfelmj.exe
      C:\Users\Admin\AppData\Local\Temp\xgfelmj.exe C:\Users\Admin\AppData\Local\Temp\mpytqzqsx
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1032
      • C:\Users\Admin\AppData\Local\Temp\xgfelmj.exe
        C:\Users\Admin\AppData\Local\Temp\xgfelmj.exe C:\Users\Admin\AppData\Local\Temp\mpytqzqsx
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:1416

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\esliolzc8ysrwtt598tt

    Filesize

    196KB

    MD5

    089ec04b50fabcb804eed3fc2ee95b18

    SHA1

    4fae7c5feb9236f405858524b8461be9f06dfc19

    SHA256

    0d786f56d3bb1d76f4b7a658616674e763e687b7baccfd128e79c0fad60a580a

    SHA512

    2b96c679d98b788fb5706a4c2ec6eaec6c44df732084fd109f7d769c7e0b5d255e9e14eb3786486dd90564754242b2c7b23a159625e1b42241998fe95c0489e4

  • C:\Users\Admin\AppData\Local\Temp\mpytqzqsx

    Filesize

    5KB

    MD5

    fb0b69c4cf6c3743b47fa9fc35503c47

    SHA1

    5cffdd773544595fdf2951666b5bc66da924426a

    SHA256

    6f9ecba97920ddbc0e8a149271a96f4b178fb67b46e848c24ed7032e067b429f

    SHA512

    457e01dfc0894a83f0bd50c965191a61ce8b22680c4ba7715ef78c46401fcb3c9bcc6aa3c160f2abce24838d03d2539b95a7f390abaf735bab1b197431e62f5f

  • C:\Users\Admin\AppData\Local\Temp\xgfelmj.exe

    Filesize

    4KB

    MD5

    95ddcdc98ec9c024242038a7732c8f0d

    SHA1

    97a769287ab24fcdf87a53b33d4cd08281833325

    SHA256

    f2d2e945bbaa6578255b7d6bd4192327d9b280cb0a45fb6bc38f0c68f67436ec

    SHA512

    2c8732319934fb7009cc861b61fd9900744c9bb783cc60bb4e5aadb5220e03ee1c4bb39f8e36869d5efc9e89850466b6e7188d41c5f8e8dfe8b6244e29e03037

  • C:\Users\Admin\AppData\Local\Temp\xgfelmj.exe

    Filesize

    4KB

    MD5

    95ddcdc98ec9c024242038a7732c8f0d

    SHA1

    97a769287ab24fcdf87a53b33d4cd08281833325

    SHA256

    f2d2e945bbaa6578255b7d6bd4192327d9b280cb0a45fb6bc38f0c68f67436ec

    SHA512

    2c8732319934fb7009cc861b61fd9900744c9bb783cc60bb4e5aadb5220e03ee1c4bb39f8e36869d5efc9e89850466b6e7188d41c5f8e8dfe8b6244e29e03037

  • C:\Users\Admin\AppData\Local\Temp\xgfelmj.exe

    Filesize

    4KB

    MD5

    95ddcdc98ec9c024242038a7732c8f0d

    SHA1

    97a769287ab24fcdf87a53b33d4cd08281833325

    SHA256

    f2d2e945bbaa6578255b7d6bd4192327d9b280cb0a45fb6bc38f0c68f67436ec

    SHA512

    2c8732319934fb7009cc861b61fd9900744c9bb783cc60bb4e5aadb5220e03ee1c4bb39f8e36869d5efc9e89850466b6e7188d41c5f8e8dfe8b6244e29e03037

  • memory/1032-130-0x0000000000000000-mapping.dmp

  • memory/1416-138-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/1416-136-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/1416-135-0x0000000000000000-mapping.dmp

  • memory/1416-139-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/1416-140-0x00000000057A0000-0x0000000005D44000-memory.dmp

    Filesize

    5.6MB

  • memory/1416-141-0x0000000005140000-0x00000000051DC000-memory.dmp

    Filesize

    624KB

  • memory/1416-142-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/1416-143-0x0000000006430000-0x00000000064C2000-memory.dmp

    Filesize

    584KB

  • memory/1416-144-0x00000000066A0000-0x0000000006862000-memory.dmp

    Filesize

    1.8MB

  • memory/1416-145-0x0000000006410000-0x000000000641A000-memory.dmp

    Filesize

    40KB