Overview

overview

10

Static

static

filezx.exe

windows7_x64

10

filezx.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    114s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    22-05-2022 05:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    filezx.exe

  • Size

    379KB

  • MD5

    7e439c7f9636682598cb3438da45ebe9

  • SHA1

    1033a94c129f60d5ef3915f0f8f1a9882eb4c845

  • SHA256

    bfc94f0bd631a75dca96329c99631b3d7a6f6152974b091d280a8f77ddd88e15

  • SHA512

    deebc13f38f464d6a3a660391cc70d30e774618c89604559354b393317b35eaae6b871718d86dd22d9a5efa5e9abc09fa9867aea740998fe7b985048a52c8cb9

Score
10/10
snakekeyloggercollectionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    mail.twinarrow.com.my
  • Port:
    587
  • Username:
    account@twinarrow.com.my
  • Password:
    accountaccount123@
  • Email To:
    toniclinton33@gmail.com

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger Payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 20 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\filezx.exe
    "C:\Users\Admin\AppData\Local\Temp\filezx.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout /t 1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4336
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 1
        3⤵
        • Delays execution with timeout.exe
        PID:5080
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout /t 1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4272
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 1
        3⤵
        • Delays execution with timeout.exe
        PID:1020
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout /t 1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1708
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 1
        3⤵
        • Delays execution with timeout.exe
        PID:3876
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout /t 1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:232
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 1
        3⤵
        • Delays execution with timeout.exe
        PID:4928
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout /t 1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1904
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 1
        3⤵
        • Delays execution with timeout.exe
        PID:4732
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout /t 1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:916
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 1
        3⤵
        • Delays execution with timeout.exe
        PID:1640
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout /t 1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4836
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 1
        3⤵
        • Delays execution with timeout.exe
        PID:4460
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout /t 1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4884
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 1
        3⤵
        • Delays execution with timeout.exe
        PID:1864
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout /t 1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1528
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 1
        3⤵
        • Delays execution with timeout.exe
        PID:1036
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout /t 1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3956
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 1
        3⤵
        • Delays execution with timeout.exe
        PID:4824
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout /t 1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4040
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 1
        3⤵
        • Delays execution with timeout.exe
        PID:4592
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout /t 1
      2⤵
        PID:4164
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 1
          3⤵
          • Delays execution with timeout.exe
          PID:4456
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c timeout /t 1
        2⤵
          PID:4996
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 1
            3⤵
            • Delays execution with timeout.exe
            PID:4868
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 1
          2⤵
            PID:1608
            • C:\Windows\SysWOW64\timeout.exe
              timeout /t 1
              3⤵
              • Delays execution with timeout.exe
              PID:4364
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c timeout /t 1
            2⤵
              PID:4428
              • C:\Windows\SysWOW64\timeout.exe
                timeout /t 1
                3⤵
                • Delays execution with timeout.exe
                PID:2116
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c timeout /t 1
              2⤵
                PID:8
                • C:\Windows\SysWOW64\timeout.exe
                  timeout /t 1
                  3⤵
                  • Delays execution with timeout.exe
                  PID:4160
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c timeout /t 1
                2⤵
                  PID:4268
                  • C:\Windows\SysWOW64\timeout.exe
                    timeout /t 1
                    3⤵
                    • Delays execution with timeout.exe
                    PID:4260
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c timeout /t 1
                  2⤵
                    PID:4144
                    • C:\Windows\SysWOW64\timeout.exe
                      timeout /t 1
                      3⤵
                      • Delays execution with timeout.exe
                      PID:684
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c timeout /t 1
                    2⤵
                      PID:216
                      • C:\Windows\SysWOW64\timeout.exe
                        timeout /t 1
                        3⤵
                        • Delays execution with timeout.exe
                        PID:1080
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /c timeout /t 1
                      2⤵
                        PID:4024
                        • C:\Windows\SysWOW64\timeout.exe
                          timeout /t 1
                          3⤵
                          • Delays execution with timeout.exe
                          PID:3684
                      • C:\Users\Admin\AppData\Local\Temp\filezx.exe
                        C:\Users\Admin\AppData\Local\Temp\filezx.exe
                        2⤵
                        • Accesses Microsoft Outlook profiles
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • outlook_office_path
                        • outlook_win_path
                        PID:4492

                    Network

                    MITRE ATT&CK Matrix ATT&CK v6

                    Initial Access

                    Execution

                    Persistence

                    Privilege Escalation

                    Defense Evasion

                    Credential Access

                    Credentials in Files

                    3
                    T1081

                    Discovery

                    Query Registry

                    1
                    T1012

                    System Information Discovery

                    2
                    T1082

                    Lateral Movement

                    Collection

                    Data from Local System

                    3
                    T1005

                    Email Collection

                    1
                    T1114

                    Exfiltration

                    Command and Control

                    Impact

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\filezx.exe.log
                      Filesize

                      1KB

                      MD5

                      8fc84c8d72f995be269509b1bb98e2ef

                      SHA1

                      082b7b872eb80137ef4e6e8060329a52c0730a00

                      SHA256

                      6a611e8627f9d617f50ae50c2f1ae83b95afafe08aa22a65f9819a8b8be50e13

                      SHA512

                      e249460805df0d1a7fa0a478e393fdda0b36a476ba1441be1d9ad8770f9bee64dbb365c503ad268d64e6db8657d35ba683ec24cbb66633d9f486088765287fb9

                      Download Submit
                    • memory/8-161-0x0000000000000000-mapping.dmp
                      Download
                    • memory/216-167-0x0000000000000000-mapping.dmp
                      Download
                    • memory/232-137-0x0000000000000000-mapping.dmp
                      Download
                    • memory/684-166-0x0000000000000000-mapping.dmp
                      Download
                    • memory/916-141-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1020-134-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1036-148-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1080-168-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1528-147-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1608-157-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1640-142-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1708-135-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1864-146-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1904-139-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2116-160-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2204-173-0x0000000007070000-0x00000000070C0000-memory.dmp
                      Filesize

                      320KB

                      Download
                    • memory/2204-172-0x0000000006FD0000-0x0000000007062000-memory.dmp
                      Filesize

                      584KB

                      Download
                    • memory/2204-171-0x0000000007490000-0x0000000007A34000-memory.dmp
                      Filesize

                      5.6MB

                      Download
                    • memory/2204-130-0x0000000000840000-0x00000000008A4000-memory.dmp
                      Filesize

                      400KB

                      Download
                    • memory/3684-170-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3876-136-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3956-149-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4024-169-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4040-151-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4144-165-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4160-162-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4164-153-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4260-164-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4268-163-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4272-133-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4336-131-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4364-158-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4428-159-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4456-154-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4460-144-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4492-177-0x0000000005630000-0x00000000056CC000-memory.dmp
                      Filesize

                      624KB

                      Download
                    • memory/4492-174-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4492-178-0x0000000006970000-0x0000000006B32000-memory.dmp
                      Filesize

                      1.8MB

                      Download
                    • memory/4492-175-0x0000000000400000-0x0000000000426000-memory.dmp
                      Filesize

                      152KB

                      Download
                    • memory/4492-179-0x00000000068F0000-0x00000000068FA000-memory.dmp
                      Filesize

                      40KB

                      Download
                    • memory/4592-152-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4732-140-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4824-150-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4836-143-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4868-156-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4884-145-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4928-138-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4996-155-0x0000000000000000-mapping.dmp
                      Download
                    • memory/5080-132-0x0000000000000000-mapping.dmp
                      Download