Overview

overview

10

Static

static

1

Advance Pa...0k.exe

windows7-x64

10

Advance Pa...0k.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/02/2023, 10:36

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Advance Payment-50k.exe

  • Size

    531KB

  • MD5

    9730ee14db1d3088b284b3ad350fdb1b

  • SHA1

    c1788dfd2f4faea8dc64652149b7190b714a9450

  • SHA256

    107b4465806250a6fd7fda62b3ec399b4eaa97a7262bd4a9e13fbe96007ed99e

  • SHA512

    dd4f721acaac67bad22750a3f55c14ee172e37e7cc324413745b7a898bbabb3dd4872864d0d0f2da4c13104c6e6cf15255343588eae8895d81659da797f07608

  • SSDEEP

    12288:SYnY72NMiNoWNeq8VSx8kyGgu/pYqa3wzmJzZFfi2d:SYnYiN5NrNeY+HGgfdJzZdi2d

Score
10/10
snakekeyloggercollectionkeyloggerspywarestealer

Malware Config

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Advance Payment-50k.exe
    "C:\Users\Admin\AppData\Local\Temp\Advance Payment-50k.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4756
    • C:\Users\Admin\AppData\Local\Temp\gvwcmczpi.exe
      "C:\Users\Admin\AppData\Local\Temp\gvwcmczpi.exe" C:\Users\Admin\AppData\Local\Temp\zsmxm.frt
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4840
      • C:\Users\Admin\AppData\Local\Temp\gvwcmczpi.exe
        "C:\Users\Admin\AppData\Local\Temp\gvwcmczpi.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:4744

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\gvwcmczpi.exe
          Filesize

          322KB

          MD5

          cd897322d23fc0344df24bdc3509a534

          SHA1

          1f3ddc8cfb21aaed5cd3d8e3b464e4bae3ef05dc

          SHA256

          bd3ba64a518799bc8f3a7c72c12a1947e71ef70b2b56a300daf194562bccd533

          SHA512

          ab65585898d41b19e9c68c3926da2a97000a724b9337a5451d05d2ca994e933f273d491941e52ab89c25548de2ba23c4dc1b45fdb2c9b32db88e41bce106ca93

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\gvwcmczpi.exe
          Filesize

          322KB

          MD5

          cd897322d23fc0344df24bdc3509a534

          SHA1

          1f3ddc8cfb21aaed5cd3d8e3b464e4bae3ef05dc

          SHA256

          bd3ba64a518799bc8f3a7c72c12a1947e71ef70b2b56a300daf194562bccd533

          SHA512

          ab65585898d41b19e9c68c3926da2a97000a724b9337a5451d05d2ca994e933f273d491941e52ab89c25548de2ba23c4dc1b45fdb2c9b32db88e41bce106ca93

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\gvwcmczpi.exe
          Filesize

          322KB

          MD5

          cd897322d23fc0344df24bdc3509a534

          SHA1

          1f3ddc8cfb21aaed5cd3d8e3b464e4bae3ef05dc

          SHA256

          bd3ba64a518799bc8f3a7c72c12a1947e71ef70b2b56a300daf194562bccd533

          SHA512

          ab65585898d41b19e9c68c3926da2a97000a724b9337a5451d05d2ca994e933f273d491941e52ab89c25548de2ba23c4dc1b45fdb2c9b32db88e41bce106ca93

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\kgfjcqtauq.mgi
          Filesize

          225KB

          MD5

          bee68038dcf616ac8ae2946c40dc05e6

          SHA1

          dc8d3ff8c5bf360d707e06ff07c4fbeadb3b08e9

          SHA256

          9e8b2c8c83c31ceb9be5280f142cdf7ed2227bdc51101805de7d721d9ad3229c

          SHA512

          831348b517a83843b65d32fb423f182edc178abca9bf07cb30ecdca207a53256a31166ada2a5a722c94fa1d06a5486be57da2e49b05627a15865d5e1fe6ae1f9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\zsmxm.frt
          Filesize

          5KB

          MD5

          ee68b7d6c9587350932b034ca9acaa45

          SHA1

          090fd5a27ecfe3c67dfbff558d60dfeb24daa418

          SHA256

          8b503278dcf5e68891137025e39238aaf9ba840437c1d9114ab9c90cea7806c5

          SHA512

          e4f41c29d02ead8eff26dd911f3ad670ea917d29f810826a0ad5309bb6a81827b4a41e74c934a029cb80eb7ae3f6751f7af26a330ba63b7b9cbf25396f34aced

          Download Submit

        • memory/4744-139-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

          Download

        • memory/4744-140-0x00000000058D0000-0x0000000005E74000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4744-141-0x00000000053C0000-0x000000000545C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/4744-142-0x0000000006610000-0x00000000067D2000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/4744-143-0x00000000064E0000-0x0000000006572000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4744-144-0x00000000064C0000-0x00000000064CA000-memory.dmp

          Filesize

          40KB

          Download