Analysis
-
max time kernel
56s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
23-06-2021 14:32
Static task
static1
Behavioral task
behavioral1
Sample
2021 Repeat Order.PDF File.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
2021 Repeat Order.PDF File.exe
Resource
win10v20210408
General
-
Target
2021 Repeat Order.PDF File.exe
-
Size
1.0MB
-
MD5
2cae2254b4ab9773f185fb638a9c31a4
-
SHA1
912bba120433bdff00cf34007ca11b23e511d561
-
SHA256
0a37b966b67a5ae6f09f284f453bf83944916dec7f8676be4a712cc92a3fc186
-
SHA512
32377ef9c2f5699a8bd40e08c4001d1bb3edf0faaf7ad71f9d0fe67cfc01289f729b79f0b5120a676debc12850480efe368ab3d4ca5a9c24b83a430f4f8030c8
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
smtp.yandex.ru - Port:
587 - Username:
saintmoni@yandex.ru - Password:
babaanu12345
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2021 Repeat Order.PDF File.exedescription pid process target process PID 808 set thread context of 1416 808 2021 Repeat Order.PDF File.exe 2021 Repeat Order.PDF File.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2144 1416 WerFault.exe 2021 Repeat Order.PDF File.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
2021 Repeat Order.PDF File.exeWerFault.exepid process 1416 2021 Repeat Order.PDF File.exe 2144 WerFault.exe 2144 WerFault.exe 2144 WerFault.exe 2144 WerFault.exe 2144 WerFault.exe 2144 WerFault.exe 2144 WerFault.exe 2144 WerFault.exe 2144 WerFault.exe 2144 WerFault.exe 2144 WerFault.exe 2144 WerFault.exe 2144 WerFault.exe 2144 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
2021 Repeat Order.PDF File.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1416 2021 Repeat Order.PDF File.exe Token: SeRestorePrivilege 2144 WerFault.exe Token: SeBackupPrivilege 2144 WerFault.exe Token: SeDebugPrivilege 2144 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
2021 Repeat Order.PDF File.exedescription pid process target process PID 808 wrote to memory of 1308 808 2021 Repeat Order.PDF File.exe schtasks.exe PID 808 wrote to memory of 1308 808 2021 Repeat Order.PDF File.exe schtasks.exe PID 808 wrote to memory of 1308 808 2021 Repeat Order.PDF File.exe schtasks.exe PID 808 wrote to memory of 1416 808 2021 Repeat Order.PDF File.exe 2021 Repeat Order.PDF File.exe PID 808 wrote to memory of 1416 808 2021 Repeat Order.PDF File.exe 2021 Repeat Order.PDF File.exe PID 808 wrote to memory of 1416 808 2021 Repeat Order.PDF File.exe 2021 Repeat Order.PDF File.exe PID 808 wrote to memory of 1416 808 2021 Repeat Order.PDF File.exe 2021 Repeat Order.PDF File.exe PID 808 wrote to memory of 1416 808 2021 Repeat Order.PDF File.exe 2021 Repeat Order.PDF File.exe PID 808 wrote to memory of 1416 808 2021 Repeat Order.PDF File.exe 2021 Repeat Order.PDF File.exe PID 808 wrote to memory of 1416 808 2021 Repeat Order.PDF File.exe 2021 Repeat Order.PDF File.exe PID 808 wrote to memory of 1416 808 2021 Repeat Order.PDF File.exe 2021 Repeat Order.PDF File.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2021 Repeat Order.PDF File.exe"C:\Users\Admin\AppData\Local\Temp\2021 Repeat Order.PDF File.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lpdrbXVhXwsgB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3E23.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\2021 Repeat Order.PDF File.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 14283⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2021 Repeat Order.PDF File.exe.logMD5
c3cc52ccca9ff2b6fa8d267fc350ca6b
SHA1a68d4028333296d222e4afd75dea36fdc98d05f3
SHA2563125b6071e2d78f575a06ed7ac32a83d9262ae64d1fa81ac43e8bfc1ef157c0e
SHA512b0c7b2501b1a2c559795a9d178c0bbda0e03cbdbaaa2c4330ac1202a55373fe1b742078adcfa915bd6e805565a2daa6d35d64ef7a14ffcd09069f9ea6a691cc7
-
C:\Users\Admin\AppData\Local\Temp\tmp3E23.tmpMD5
e9403505935e0b58849e6b1a4ef8a4a5
SHA10b093b45173da92b197d5e9fdf1c23e310dacad1
SHA2566e126022290fa0bc67ef17a04372dce3245c8dc05cf5768603f2a4eafd802ca5
SHA512eee8b394c8f275f20d1f138fce2f2d9d5967f609911c14623892d242604b555d2c6127978f9e69c851d4251904c7189d4f9f427dbc8b0e23497f68e8c6c6b2e3
-
memory/808-121-0x00000000055B0000-0x00000000055B2000-memory.dmpFilesize
8KB
-
memory/808-118-0x00000000051D0000-0x00000000051D1000-memory.dmpFilesize
4KB
-
memory/808-119-0x0000000004FD0000-0x0000000004FD1000-memory.dmpFilesize
4KB
-
memory/808-120-0x00000000050E0000-0x00000000055DE000-memory.dmpFilesize
5.0MB
-
memory/808-114-0x0000000000680000-0x0000000000681000-memory.dmpFilesize
4KB
-
memory/808-122-0x0000000006D20000-0x0000000006DCE000-memory.dmpFilesize
696KB
-
memory/808-123-0x000000000B2B0000-0x000000000B312000-memory.dmpFilesize
392KB
-
memory/808-117-0x0000000004FE0000-0x0000000004FE1000-memory.dmpFilesize
4KB
-
memory/808-116-0x00000000055E0000-0x00000000055E1000-memory.dmpFilesize
4KB
-
memory/1308-124-0x0000000000000000-mapping.dmp
-
memory/1416-126-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/1416-127-0x000000000044320E-mapping.dmp
-
memory/1416-133-0x00000000054E0000-0x00000000054E1000-memory.dmpFilesize
4KB