Analysis
-
max time kernel
143s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2023 06:14
Static task
static1
Behavioral task
behavioral1
Sample
SOA..exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
SOA..exe
Resource
win10v2004-20230220-en
General
-
Target
SOA..exe
-
Size
283KB
-
MD5
2fb4a6541352bc6ddef8ac5751572cca
-
SHA1
0b256d3a9439252035f92280d359be04c176fc0a
-
SHA256
d7c2fe9485b6c29fb527f162ecfdd6724db6fd1abca5ce08582e2860e998b3be
-
SHA512
936486109ef67313a1d2c03a360ba430c979bab6f9235ca847d7788c67e88639baad471468491f749cc8370e00f1c04151578eebbc8b33a41727c9f9c3ba4782
-
SSDEEP
6144:/Ya6dRGROV5Ap2Jv7FVnXGgerSZLaPPGQbS8pZEpLjimuL1XTJ66fC2nlkQ2G:/YDRG4bjjXG7rSeP+8pZEVWmW1DJ665V
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/4000-142-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral2/memory/4000-144-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral2/memory/4000-145-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral2/memory/4000-149-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral2/memory/4000-158-0x00000000049D0000-0x00000000049E0000-memory.dmp family_snakekeylogger -
Executes dropped EXE 2 IoCs
Processes:
uymcc.exeuymcc.exepid process 1656 uymcc.exe 4000 uymcc.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
uymcc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 uymcc.exe Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 uymcc.exe Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 uymcc.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
uymcc.exedescription pid process target process PID 1656 set thread context of 4000 1656 uymcc.exe uymcc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
uymcc.exepid process 4000 uymcc.exe 4000 uymcc.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
uymcc.exepid process 1656 uymcc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
uymcc.exedescription pid process Token: SeDebugPrivilege 4000 uymcc.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
SOA..exeuymcc.exedescription pid process target process PID 4460 wrote to memory of 1656 4460 SOA..exe uymcc.exe PID 4460 wrote to memory of 1656 4460 SOA..exe uymcc.exe PID 4460 wrote to memory of 1656 4460 SOA..exe uymcc.exe PID 1656 wrote to memory of 4000 1656 uymcc.exe uymcc.exe PID 1656 wrote to memory of 4000 1656 uymcc.exe uymcc.exe PID 1656 wrote to memory of 4000 1656 uymcc.exe uymcc.exe PID 1656 wrote to memory of 4000 1656 uymcc.exe uymcc.exe -
outlook_office_path 1 IoCs
Processes:
uymcc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 uymcc.exe -
outlook_win_path 1 IoCs
Processes:
uymcc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 uymcc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SOA..exe"C:\Users\Admin\AppData\Local\Temp\SOA..exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\uymcc.exe"C:\Users\Admin\AppData\Local\Temp\uymcc.exe" C:\Users\Admin\AppData\Local\Temp\kxdkptksntt.ees2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\uymcc.exe"C:\Users\Admin\AppData\Local\Temp\uymcc.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fwnsmyj.iFilesize
225KB
MD59705247833db4cc9e0bb453bfc21e08f
SHA1b14d668bd2844ef46177900a2bc7dfb958194783
SHA2561b11ba49fa923478668bc09c29f94eaab78b4b9cd78600b0dcb9a216be2e6c2b
SHA512e5179bbcdd79938de3668f2f5efc5667615131651b3311234c4541069e160421ce5cb563e3464029de87bf35b75d184f97f9816803540a511027439673155ac6
-
C:\Users\Admin\AppData\Local\Temp\kxdkptksntt.eesFilesize
5KB
MD59fc0a867c873ffc91c15f390a7fcacd1
SHA1b00984a84ca303f653bd6cf4bf971d856cb1bdc9
SHA2566685944851188c7c3a690338faef047b413eae06937b614fc620eed00dea7b65
SHA51261beb816d03172084ef43b60c447e6942f0bf67245b5c0c3a270de1b6259c47850937efe6a2e86de1b7b55961d6e47ca551ef97bcab4411a52406e5755d37c6e
-
C:\Users\Admin\AppData\Local\Temp\uymcc.exeFilesize
138KB
MD56760af9a355ba5f55c38cafa1f392522
SHA128680b28ec195b70e174c56543bc0c2fbb798969
SHA256fc11667bcf384a98a6552387516109f54fb607cb083ea688291d1f57afefb109
SHA5125d19dfd4fab30da7ff116ba2ec8ba737cffb8b2b7349446fde4fba46f7aec44c77d7ad18ea7d3bc5b216cf26a66a8a66a2d9994af26db1e887329a8338f2f439
-
C:\Users\Admin\AppData\Local\Temp\uymcc.exeFilesize
138KB
MD56760af9a355ba5f55c38cafa1f392522
SHA128680b28ec195b70e174c56543bc0c2fbb798969
SHA256fc11667bcf384a98a6552387516109f54fb607cb083ea688291d1f57afefb109
SHA5125d19dfd4fab30da7ff116ba2ec8ba737cffb8b2b7349446fde4fba46f7aec44c77d7ad18ea7d3bc5b216cf26a66a8a66a2d9994af26db1e887329a8338f2f439
-
C:\Users\Admin\AppData\Local\Temp\uymcc.exeFilesize
138KB
MD56760af9a355ba5f55c38cafa1f392522
SHA128680b28ec195b70e174c56543bc0c2fbb798969
SHA256fc11667bcf384a98a6552387516109f54fb607cb083ea688291d1f57afefb109
SHA5125d19dfd4fab30da7ff116ba2ec8ba737cffb8b2b7349446fde4fba46f7aec44c77d7ad18ea7d3bc5b216cf26a66a8a66a2d9994af26db1e887329a8338f2f439
-
memory/1656-140-0x0000000000580000-0x0000000000582000-memory.dmpFilesize
8KB
-
memory/4000-148-0x0000000004F90000-0x000000000502C000-memory.dmpFilesize
624KB
-
memory/4000-151-0x00000000049D0000-0x00000000049E0000-memory.dmpFilesize
64KB
-
memory/4000-145-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/4000-147-0x00000000049E0000-0x0000000004F84000-memory.dmpFilesize
5.6MB
-
memory/4000-142-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/4000-149-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/4000-150-0x00000000049D0000-0x00000000049E0000-memory.dmpFilesize
64KB
-
memory/4000-144-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/4000-152-0x00000000049D0000-0x00000000049E0000-memory.dmpFilesize
64KB
-
memory/4000-153-0x0000000005B50000-0x0000000005D12000-memory.dmpFilesize
1.8MB
-
memory/4000-154-0x0000000005D20000-0x0000000005DB2000-memory.dmpFilesize
584KB
-
memory/4000-155-0x0000000005E30000-0x0000000005E3A000-memory.dmpFilesize
40KB
-
memory/4000-157-0x00000000049D0000-0x00000000049E0000-memory.dmpFilesize
64KB
-
memory/4000-158-0x00000000049D0000-0x00000000049E0000-memory.dmpFilesize
64KB
-
memory/4000-159-0x00000000049D0000-0x00000000049E0000-memory.dmpFilesize
64KB