Overview

overview

10

Static

static

1

SOA..exe

windows7-x64

10

SOA..exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-03-2023 06:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SOA..exe

  • Size

    283KB

  • MD5

    2fb4a6541352bc6ddef8ac5751572cca

  • SHA1

    0b256d3a9439252035f92280d359be04c176fc0a

  • SHA256

    d7c2fe9485b6c29fb527f162ecfdd6724db6fd1abca5ce08582e2860e998b3be

  • SHA512

    936486109ef67313a1d2c03a360ba430c979bab6f9235ca847d7788c67e88639baad471468491f749cc8370e00f1c04151578eebbc8b33a41727c9f9c3ba4782

  • SSDEEP

    6144:/Ya6dRGROV5Ap2Jv7FVnXGgerSZLaPPGQbS8pZEpLjimuL1XTJ66fC2nlkQ2G:/YDRG4bjjXG7rSeP+8pZEVWmW1DJ665V

Score
10/10
snakekeyloggercollectionkeyloggerspywarestealer

Malware Config

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 5 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SOA..exe
    "C:\Users\Admin\AppData\Local\Temp\SOA..exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4460
    • C:\Users\Admin\AppData\Local\Temp\uymcc.exe
      "C:\Users\Admin\AppData\Local\Temp\uymcc.exe" C:\Users\Admin\AppData\Local\Temp\kxdkptksntt.ees
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1656
      • C:\Users\Admin\AppData\Local\Temp\uymcc.exe
        "C:\Users\Admin\AppData\Local\Temp\uymcc.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:4000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\fwnsmyj.i
    Filesize

    225KB

    MD5

    9705247833db4cc9e0bb453bfc21e08f

    SHA1

    b14d668bd2844ef46177900a2bc7dfb958194783

    SHA256

    1b11ba49fa923478668bc09c29f94eaab78b4b9cd78600b0dcb9a216be2e6c2b

    SHA512

    e5179bbcdd79938de3668f2f5efc5667615131651b3311234c4541069e160421ce5cb563e3464029de87bf35b75d184f97f9816803540a511027439673155ac6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\kxdkptksntt.ees
    Filesize

    5KB

    MD5

    9fc0a867c873ffc91c15f390a7fcacd1

    SHA1

    b00984a84ca303f653bd6cf4bf971d856cb1bdc9

    SHA256

    6685944851188c7c3a690338faef047b413eae06937b614fc620eed00dea7b65

    SHA512

    61beb816d03172084ef43b60c447e6942f0bf67245b5c0c3a270de1b6259c47850937efe6a2e86de1b7b55961d6e47ca551ef97bcab4411a52406e5755d37c6e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\uymcc.exe
    Filesize

    138KB

    MD5

    6760af9a355ba5f55c38cafa1f392522

    SHA1

    28680b28ec195b70e174c56543bc0c2fbb798969

    SHA256

    fc11667bcf384a98a6552387516109f54fb607cb083ea688291d1f57afefb109

    SHA512

    5d19dfd4fab30da7ff116ba2ec8ba737cffb8b2b7349446fde4fba46f7aec44c77d7ad18ea7d3bc5b216cf26a66a8a66a2d9994af26db1e887329a8338f2f439

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\uymcc.exe
    Filesize

    138KB

    MD5

    6760af9a355ba5f55c38cafa1f392522

    SHA1

    28680b28ec195b70e174c56543bc0c2fbb798969

    SHA256

    fc11667bcf384a98a6552387516109f54fb607cb083ea688291d1f57afefb109

    SHA512

    5d19dfd4fab30da7ff116ba2ec8ba737cffb8b2b7349446fde4fba46f7aec44c77d7ad18ea7d3bc5b216cf26a66a8a66a2d9994af26db1e887329a8338f2f439

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\uymcc.exe
    Filesize

    138KB

    MD5

    6760af9a355ba5f55c38cafa1f392522

    SHA1

    28680b28ec195b70e174c56543bc0c2fbb798969

    SHA256

    fc11667bcf384a98a6552387516109f54fb607cb083ea688291d1f57afefb109

    SHA512

    5d19dfd4fab30da7ff116ba2ec8ba737cffb8b2b7349446fde4fba46f7aec44c77d7ad18ea7d3bc5b216cf26a66a8a66a2d9994af26db1e887329a8338f2f439

    Download Submit
  • memory/1656-140-0x0000000000580000-0x0000000000582000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4000-148-0x0000000004F90000-0x000000000502C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/4000-151-0x00000000049D0000-0x00000000049E0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4000-145-0x0000000000400000-0x0000000000437000-memory.dmp
    Filesize

    220KB

    Download
  • memory/4000-147-0x00000000049E0000-0x0000000004F84000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4000-142-0x0000000000400000-0x0000000000437000-memory.dmp
    Filesize

    220KB

    Download
  • memory/4000-149-0x0000000000400000-0x0000000000437000-memory.dmp
    Filesize

    220KB

    Download
  • memory/4000-150-0x00000000049D0000-0x00000000049E0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4000-144-0x0000000000400000-0x0000000000437000-memory.dmp
    Filesize

    220KB

    Download
  • memory/4000-152-0x00000000049D0000-0x00000000049E0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4000-153-0x0000000005B50000-0x0000000005D12000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/4000-154-0x0000000005D20000-0x0000000005DB2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4000-155-0x0000000005E30000-0x0000000005E3A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4000-157-0x00000000049D0000-0x00000000049E0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4000-158-0x00000000049D0000-0x00000000049E0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4000-159-0x00000000049D0000-0x00000000049E0000-memory.dmp
    Filesize

    64KB

    Download