snakekeylogger | 093ae32e384e0781c6840738467880b8a18eeac99a9124e2b03431f054ccbba2

General

Target

SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe
Size

1.0MB
MD5

3672cbf3d4df3e8b980ca53da0be22af
SHA1

056122bc3ff2e7fc0f7daf12c4bde24dab554aba
SHA256

093ae32e384e0781c6840738467880b8a18eeac99a9124e2b03431f054ccbba2
SHA512

fbda4615c2984b80db5e970422340912fb84b8a1e8de23c277ed42de36b07525879f0f45ef530989598c22ccf07e0098cadc5d8025a5e9eefc5f2b5cbd09ef7b
SSDEEP

24576:ukdGOopzAI3ZnpSLixvrpgDMBse8UOiJoLSwybN9X:v1opLNjeuse8UOxu3

Score

10^/10

snakekeylogger keylogger persistence stealer

Malware Config

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2044-72-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2044-74-0x000000000042072E-mapping.dmp	family_snakekeylogger
behavioral1/memory/2044-73-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2044-70-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2044-76-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2044-78-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rrpkvujmgr = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gurwxo\\Rrpkvujmgr.exe\""	SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org

flow	ioc
4	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe

description	pid	process	target process
PID 1612 set thread context of 2044	1612	SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe	SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1616 2044 WerFault.exe SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exeSecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe

pid process

1860 powershell.exe
1332 powershell.exe
2044 SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe

pid	pid_target	process	target process
1616	2044	WerFault.exe	SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe

pid	process
1860	powershell.exe
1332	powershell.exe
2044	SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exeSecuriteInfo.com.Win32.PWSX-gen.19575.15091.exepowershell.exeSecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe

description	pid	process
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	1612	SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeDebugPrivilege	2044	SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exeSecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe

description	pid	process	target process
PID 1612 wrote to memory of 1860	1612	SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe	powershell.exe
PID 1612 wrote to memory of 1860	1612	SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe	powershell.exe
PID 1612 wrote to memory of 1860	1612	SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe	powershell.exe
PID 1612 wrote to memory of 1860	1612	SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe	powershell.exe
PID 1612 wrote to memory of 1332	1612	SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe	powershell.exe
PID 1612 wrote to memory of 1332	1612	SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe	powershell.exe
PID 1612 wrote to memory of 1332	1612	SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe	powershell.exe
PID 1612 wrote to memory of 1332	1612	SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe	powershell.exe
PID 1612 wrote to memory of 2044	1612	SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe	SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe
PID 1612 wrote to memory of 2044	1612	SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe	SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe
PID 1612 wrote to memory of 2044	1612	SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe	SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe
PID 1612 wrote to memory of 2044	1612	SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe	SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe
PID 1612 wrote to memory of 2044	1612	SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe	SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe
PID 1612 wrote to memory of 2044	1612	SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe	SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe
PID 1612 wrote to memory of 2044	1612	SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe	SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe
PID 1612 wrote to memory of 2044	1612	SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe	SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe
PID 1612 wrote to memory of 2044	1612	SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe	SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe
PID 2044 wrote to memory of 1616	2044	SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe	WerFault.exe
PID 2044 wrote to memory of 1616	2044	SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe	WerFault.exe
PID 2044 wrote to memory of 1616	2044	SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe	WerFault.exe
PID 2044 wrote to memory of 1616	2044	SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.19575.15091.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 1104
3⤵
- Program crash
PID:1616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
52539352e53171a4694ddc02ddd1e33f

SHA1
2a688afd38f05b36721893bb26b11c38a6410a58

SHA256
6a675cce8a92a4fdff1e176390ce8a6b8dd7d37713ed27b78c3edab6087b1323

SHA512
659720d4880abf8d1f6f404882b947be8ce5a03379b8c4a6be5e35f78a1be8277bf133415b1779d911b07f94231501db79cbe3c0667dcd63b773078e5175b706

Download Submit
memory/1332-61-0x0000000000000000-mapping.dmp

Download
memory/1332-66-0x000000006E880000-0x000000006EE2B000-memory.dmp

Filesize
5.7MB

Download
memory/1332-65-0x000000006E880000-0x000000006EE2B000-memory.dmp

Filesize
5.7MB

Download
memory/1332-64-0x000000006E880000-0x000000006EE2B000-memory.dmp

Filesize
5.7MB

Download
memory/1612-60-0x00000000057E0000-0x0000000005A0C000-memory.dmp

Filesize
2.2MB

Download
memory/1612-54-0x0000000000930000-0x0000000000A3C000-memory.dmp

Filesize
1.0MB

Download
memory/1612-55-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1616-80-0x0000000000000000-mapping.dmp

Download
memory/1860-59-0x000000006F670000-0x000000006FC1B000-memory.dmp

Filesize
5.7MB

Download
memory/1860-58-0x000000006F670000-0x000000006FC1B000-memory.dmp

Filesize
5.7MB

Download
memory/1860-56-0x0000000000000000-mapping.dmp

Download
memory/2044-72-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2044-74-0x000000000042072E-mapping.dmp

Download
memory/2044-73-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2044-70-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2044-68-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2044-76-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2044-78-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2044-67-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads