Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
23-06-2021 14:31
Static task
static1
Behavioral task
behavioral1
Sample
2021 Repeat Order.PDF File.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
2021 Repeat Order.PDF File.exe
Resource
win10v20210408
General
-
Target
2021 Repeat Order.PDF File.exe
-
Size
1.0MB
-
MD5
2cae2254b4ab9773f185fb638a9c31a4
-
SHA1
912bba120433bdff00cf34007ca11b23e511d561
-
SHA256
0a37b966b67a5ae6f09f284f453bf83944916dec7f8676be4a712cc92a3fc186
-
SHA512
32377ef9c2f5699a8bd40e08c4001d1bb3edf0faaf7ad71f9d0fe67cfc01289f729b79f0b5120a676debc12850480efe368ab3d4ca5a9c24b83a430f4f8030c8
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.ru - Port:
587 - Username:
saintmoni@yandex.ru - Password:
babaanu12345
Extracted
snakekeylogger
Protocol: smtp- Host:
smtp.yandex.ru - Port:
587 - Username:
saintmoni@yandex.ru - Password:
babaanu12345
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 checkip.dyndns.org 17 freegeoip.app 18 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2021 Repeat Order.PDF File.exedescription pid process target process PID 3628 set thread context of 2096 3628 2021 Repeat Order.PDF File.exe 2021 Repeat Order.PDF File.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
2021 Repeat Order.PDF File.exe2021 Repeat Order.PDF File.exepid process 3628 2021 Repeat Order.PDF File.exe 3628 2021 Repeat Order.PDF File.exe 2096 2021 Repeat Order.PDF File.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2021 Repeat Order.PDF File.exe2021 Repeat Order.PDF File.exedescription pid process Token: SeDebugPrivilege 3628 2021 Repeat Order.PDF File.exe Token: SeDebugPrivilege 2096 2021 Repeat Order.PDF File.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
2021 Repeat Order.PDF File.exedescription pid process target process PID 3628 wrote to memory of 3156 3628 2021 Repeat Order.PDF File.exe schtasks.exe PID 3628 wrote to memory of 3156 3628 2021 Repeat Order.PDF File.exe schtasks.exe PID 3628 wrote to memory of 3156 3628 2021 Repeat Order.PDF File.exe schtasks.exe PID 3628 wrote to memory of 3760 3628 2021 Repeat Order.PDF File.exe 2021 Repeat Order.PDF File.exe PID 3628 wrote to memory of 3760 3628 2021 Repeat Order.PDF File.exe 2021 Repeat Order.PDF File.exe PID 3628 wrote to memory of 3760 3628 2021 Repeat Order.PDF File.exe 2021 Repeat Order.PDF File.exe PID 3628 wrote to memory of 2096 3628 2021 Repeat Order.PDF File.exe 2021 Repeat Order.PDF File.exe PID 3628 wrote to memory of 2096 3628 2021 Repeat Order.PDF File.exe 2021 Repeat Order.PDF File.exe PID 3628 wrote to memory of 2096 3628 2021 Repeat Order.PDF File.exe 2021 Repeat Order.PDF File.exe PID 3628 wrote to memory of 2096 3628 2021 Repeat Order.PDF File.exe 2021 Repeat Order.PDF File.exe PID 3628 wrote to memory of 2096 3628 2021 Repeat Order.PDF File.exe 2021 Repeat Order.PDF File.exe PID 3628 wrote to memory of 2096 3628 2021 Repeat Order.PDF File.exe 2021 Repeat Order.PDF File.exe PID 3628 wrote to memory of 2096 3628 2021 Repeat Order.PDF File.exe 2021 Repeat Order.PDF File.exe PID 3628 wrote to memory of 2096 3628 2021 Repeat Order.PDF File.exe 2021 Repeat Order.PDF File.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2021 Repeat Order.PDF File.exe"C:\Users\Admin\AppData\Local\Temp\2021 Repeat Order.PDF File.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lpdrbXVhXwsgB" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB859.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\2021 Repeat Order.PDF File.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\2021 Repeat Order.PDF File.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2021 Repeat Order.PDF File.exe.logMD5
c3cc52ccca9ff2b6fa8d267fc350ca6b
SHA1a68d4028333296d222e4afd75dea36fdc98d05f3
SHA2563125b6071e2d78f575a06ed7ac32a83d9262ae64d1fa81ac43e8bfc1ef157c0e
SHA512b0c7b2501b1a2c559795a9d178c0bbda0e03cbdbaaa2c4330ac1202a55373fe1b742078adcfa915bd6e805565a2daa6d35d64ef7a14ffcd09069f9ea6a691cc7
-
C:\Users\Admin\AppData\Local\Temp\tmpB859.tmpMD5
e9403505935e0b58849e6b1a4ef8a4a5
SHA10b093b45173da92b197d5e9fdf1c23e310dacad1
SHA2566e126022290fa0bc67ef17a04372dce3245c8dc05cf5768603f2a4eafd802ca5
SHA512eee8b394c8f275f20d1f138fce2f2d9d5967f609911c14623892d242604b555d2c6127978f9e69c851d4251904c7189d4f9f427dbc8b0e23497f68e8c6c6b2e3
-
memory/2096-134-0x0000000006A10000-0x0000000006A70000-memory.dmpFilesize
384KB
-
memory/2096-133-0x00000000057B0000-0x00000000057B1000-memory.dmpFilesize
4KB
-
memory/2096-127-0x000000000044320E-mapping.dmp
-
memory/2096-126-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/3156-124-0x0000000000000000-mapping.dmp
-
memory/3628-119-0x0000000004AC0000-0x0000000004B52000-memory.dmpFilesize
584KB
-
memory/3628-123-0x00000000069A0000-0x0000000006A02000-memory.dmpFilesize
392KB
-
memory/3628-122-0x00000000068B0000-0x000000000695E000-memory.dmpFilesize
696KB
-
memory/3628-121-0x0000000004CC0000-0x0000000004CC2000-memory.dmpFilesize
8KB
-
memory/3628-120-0x0000000004B40000-0x0000000004B41000-memory.dmpFilesize
4KB
-
memory/3628-114-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/3628-118-0x0000000004D40000-0x0000000004D41000-memory.dmpFilesize
4KB
-
memory/3628-117-0x0000000004B60000-0x0000000004B61000-memory.dmpFilesize
4KB
-
memory/3628-116-0x00000000051A0000-0x00000000051A1000-memory.dmpFilesize
4KB