Analysis
-
max time kernel
73s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
05-07-2022 13:26
General
-
Target
Masters Denomination.exe
-
Size
467KB
-
MD5
6709335556ae2a6fb194b90898255bb6
-
SHA1
b2cd06ea2351229724561ed13006bb73ab53846f
-
SHA256
2f4ff9f1d7bfe43e4f4c8925a4e93d6702b09bf1946897f5d00e0f77fdd1ce99
-
SHA512
c3790280c6372cf22be330a46d7d17622d54c9fe2011ce0f2d12e78e892122235da68d9da9153605b873569d32b2d4b31144680ab761c5e74349c99f1d383562
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.gaoyang-county-ycm.com - Port:
26 - Username:
info@gaoyang-county-ycm.com - Password:
nb34m5bf - Email To:
info@gaoyang-county-ycm.com
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Masters Denomination.exe"C:\Users\Admin\AppData\Local\Temp\Masters Denomination.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Masters Denomination.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Masters Denomination.exe.logFilesize
1KB
MD584e77a587d94307c0ac1357eb4d3d46f
SHA183cc900f9401f43d181207d64c5adba7a85edc1e
SHA256e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99
SHA512aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691
-
memory/1284-135-0x0000000000000000-mapping.dmp
-
memory/1284-136-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1284-138-0x0000000006B10000-0x0000000006CD2000-memory.dmpFilesize
1.8MB
-
memory/5016-130-0x00000000007D0000-0x000000000084A000-memory.dmpFilesize
488KB
-
memory/5016-131-0x0000000005760000-0x0000000005D04000-memory.dmpFilesize
5.6MB
-
memory/5016-132-0x0000000005250000-0x00000000052E2000-memory.dmpFilesize
584KB
-
memory/5016-133-0x00000000052F0000-0x000000000538C000-memory.dmpFilesize
624KB
-
memory/5016-134-0x00000000051F0000-0x00000000051FA000-memory.dmpFilesize
40KB