Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
20-01-2021 13:50
Static task
static1
Behavioral task
behavioral1
Sample
C103-202005514-05,PDF.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
C103-202005514-05,PDF.exe
Resource
win10v20201028
General
-
Target
C103-202005514-05,PDF.exe
-
Size
584KB
-
MD5
eedd3f21579280588e987a0431315356
-
SHA1
e4232454d3c2e86fedba56dbb0f83363dbfe96bf
-
SHA256
cdc918638a38eb856105db8b22281142b5cc58f6538ad4e848e45d552332b5fd
-
SHA512
f1934302099a9d9e45e9aeba3f7fea64fb15021888580bfbe2e21e3a7183e2e01919f2f36163a328480e6d89607baf8ac8ba7180f0975cb103c1e37850d79c64
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
smt.treat@yandex.com - Password:
WyhjVTBX5hjrgu7
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1636-16-0x0000000000400000-0x000000000046A000-memory.dmp family_snakekeylogger behavioral1/memory/1636-17-0x000000000046463E-mapping.dmp family_snakekeylogger behavioral1/memory/1636-20-0x0000000000400000-0x000000000046A000-memory.dmp family_snakekeylogger -
Drops startup file 2 IoCs
Processes:
Powershell.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Powershell.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Powershell.exe -
Loads dropped DLL 5 IoCs
Processes:
WerFault.exepid process 968 WerFault.exe 968 WerFault.exe 968 WerFault.exe 968 WerFault.exe 968 WerFault.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 checkip.dyndns.org 16 freegeoip.app 17 freegeoip.app -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
C103-202005514-05,PDF.exedescription pid process target process PID 2008 set thread context of 1636 2008 C103-202005514-05,PDF.exe RegAsm.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 968 2008 WerFault.exe C103-202005514-05,PDF.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
Powershell.exeRegAsm.exeWerFault.exepid process 816 Powershell.exe 1636 RegAsm.exe 816 Powershell.exe 968 WerFault.exe 968 WerFault.exe 968 WerFault.exe 968 WerFault.exe 968 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Powershell.exeRegAsm.exeWerFault.exedescription pid process Token: SeDebugPrivilege 816 Powershell.exe Token: SeDebugPrivilege 1636 RegAsm.exe Token: SeDebugPrivilege 968 WerFault.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
C103-202005514-05,PDF.exedescription pid process target process PID 2008 wrote to memory of 816 2008 C103-202005514-05,PDF.exe Powershell.exe PID 2008 wrote to memory of 816 2008 C103-202005514-05,PDF.exe Powershell.exe PID 2008 wrote to memory of 816 2008 C103-202005514-05,PDF.exe Powershell.exe PID 2008 wrote to memory of 816 2008 C103-202005514-05,PDF.exe Powershell.exe PID 2008 wrote to memory of 1636 2008 C103-202005514-05,PDF.exe RegAsm.exe PID 2008 wrote to memory of 1636 2008 C103-202005514-05,PDF.exe RegAsm.exe PID 2008 wrote to memory of 1636 2008 C103-202005514-05,PDF.exe RegAsm.exe PID 2008 wrote to memory of 1636 2008 C103-202005514-05,PDF.exe RegAsm.exe PID 2008 wrote to memory of 1636 2008 C103-202005514-05,PDF.exe RegAsm.exe PID 2008 wrote to memory of 1636 2008 C103-202005514-05,PDF.exe RegAsm.exe PID 2008 wrote to memory of 1636 2008 C103-202005514-05,PDF.exe RegAsm.exe PID 2008 wrote to memory of 1636 2008 C103-202005514-05,PDF.exe RegAsm.exe PID 2008 wrote to memory of 1636 2008 C103-202005514-05,PDF.exe RegAsm.exe PID 2008 wrote to memory of 1636 2008 C103-202005514-05,PDF.exe RegAsm.exe PID 2008 wrote to memory of 1636 2008 C103-202005514-05,PDF.exe RegAsm.exe PID 2008 wrote to memory of 1636 2008 C103-202005514-05,PDF.exe RegAsm.exe PID 2008 wrote to memory of 968 2008 C103-202005514-05,PDF.exe WerFault.exe PID 2008 wrote to memory of 968 2008 C103-202005514-05,PDF.exe WerFault.exe PID 2008 wrote to memory of 968 2008 C103-202005514-05,PDF.exe WerFault.exe PID 2008 wrote to memory of 968 2008 C103-202005514-05,PDF.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\C103-202005514-05,PDF.exe"C:\Users\Admin\AppData\Local\Temp\C103-202005514-05,PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\C103-202005514-05,PDF.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 10362⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\C103-202005514-05,PDF.exeMD5
eedd3f21579280588e987a0431315356
SHA1e4232454d3c2e86fedba56dbb0f83363dbfe96bf
SHA256cdc918638a38eb856105db8b22281142b5cc58f6538ad4e848e45d552332b5fd
SHA512f1934302099a9d9e45e9aeba3f7fea64fb15021888580bfbe2e21e3a7183e2e01919f2f36163a328480e6d89607baf8ac8ba7180f0975cb103c1e37850d79c64
-
\Users\Admin\AppData\Local\Temp\C103-202005514-05,PDF.exeMD5
eedd3f21579280588e987a0431315356
SHA1e4232454d3c2e86fedba56dbb0f83363dbfe96bf
SHA256cdc918638a38eb856105db8b22281142b5cc58f6538ad4e848e45d552332b5fd
SHA512f1934302099a9d9e45e9aeba3f7fea64fb15021888580bfbe2e21e3a7183e2e01919f2f36163a328480e6d89607baf8ac8ba7180f0975cb103c1e37850d79c64
-
\Users\Admin\AppData\Local\Temp\C103-202005514-05,PDF.exeMD5
eedd3f21579280588e987a0431315356
SHA1e4232454d3c2e86fedba56dbb0f83363dbfe96bf
SHA256cdc918638a38eb856105db8b22281142b5cc58f6538ad4e848e45d552332b5fd
SHA512f1934302099a9d9e45e9aeba3f7fea64fb15021888580bfbe2e21e3a7183e2e01919f2f36163a328480e6d89607baf8ac8ba7180f0975cb103c1e37850d79c64
-
\Users\Admin\AppData\Local\Temp\C103-202005514-05,PDF.exeMD5
eedd3f21579280588e987a0431315356
SHA1e4232454d3c2e86fedba56dbb0f83363dbfe96bf
SHA256cdc918638a38eb856105db8b22281142b5cc58f6538ad4e848e45d552332b5fd
SHA512f1934302099a9d9e45e9aeba3f7fea64fb15021888580bfbe2e21e3a7183e2e01919f2f36163a328480e6d89607baf8ac8ba7180f0975cb103c1e37850d79c64
-
\Users\Admin\AppData\Local\Temp\C103-202005514-05,PDF.exeMD5
eedd3f21579280588e987a0431315356
SHA1e4232454d3c2e86fedba56dbb0f83363dbfe96bf
SHA256cdc918638a38eb856105db8b22281142b5cc58f6538ad4e848e45d552332b5fd
SHA512f1934302099a9d9e45e9aeba3f7fea64fb15021888580bfbe2e21e3a7183e2e01919f2f36163a328480e6d89607baf8ac8ba7180f0975cb103c1e37850d79c64
-
memory/816-41-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/816-23-0x0000000004950000-0x0000000004951000-memory.dmpFilesize
4KB
-
memory/816-10-0x0000000000CA0000-0x0000000000CA1000-memory.dmpFilesize
4KB
-
memory/816-11-0x0000000004A60000-0x0000000004A61000-memory.dmpFilesize
4KB
-
memory/816-12-0x0000000004A20000-0x0000000004A21000-memory.dmpFilesize
4KB
-
memory/816-13-0x0000000004A22000-0x0000000004A23000-memory.dmpFilesize
4KB
-
memory/816-7-0x0000000000000000-mapping.dmp
-
memory/816-15-0x0000000000D80000-0x0000000000D81000-memory.dmpFilesize
4KB
-
memory/816-8-0x0000000076641000-0x0000000076643000-memory.dmpFilesize
8KB
-
memory/816-40-0x0000000006280000-0x0000000006281000-memory.dmpFilesize
4KB
-
memory/816-33-0x0000000006160000-0x0000000006161000-memory.dmpFilesize
4KB
-
memory/816-32-0x00000000056B0000-0x00000000056B1000-memory.dmpFilesize
4KB
-
memory/816-26-0x0000000005660000-0x0000000005661000-memory.dmpFilesize
4KB
-
memory/816-9-0x0000000074BA0000-0x000000007528E000-memory.dmpFilesize
6.9MB
-
memory/968-42-0x0000000000000000-mapping.dmp
-
memory/968-49-0x00000000003C0000-0x00000000003C1000-memory.dmpFilesize
4KB
-
memory/968-43-0x0000000002110000-0x0000000002121000-memory.dmpFilesize
68KB
-
memory/1636-19-0x0000000074BA0000-0x000000007528E000-memory.dmpFilesize
6.9MB
-
memory/1636-17-0x000000000046463E-mapping.dmp
-
memory/1636-22-0x0000000004D50000-0x0000000004D51000-memory.dmpFilesize
4KB
-
memory/1636-20-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1636-16-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/2008-2-0x0000000074BA0000-0x000000007528E000-memory.dmpFilesize
6.9MB
-
memory/2008-14-0x0000000000320000-0x000000000032F000-memory.dmpFilesize
60KB
-
memory/2008-6-0x00000000048C0000-0x00000000048C1000-memory.dmpFilesize
4KB
-
memory/2008-5-0x0000000001180000-0x00000000011F6000-memory.dmpFilesize
472KB
-
memory/2008-3-0x00000000012A0000-0x00000000012A1000-memory.dmpFilesize
4KB
-
memory/2008-28-0x0000000000710000-0x0000000000711000-memory.dmpFilesize
4KB