Analysis
-
max time kernel
46s -
max time network
192s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
22-07-2021 12:09
Static task
static1
Behavioral task
behavioral1
Sample
Scan003000494 pdf.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Scan003000494 pdf.exe
Resource
win10v20210410
General
-
Target
Scan003000494 pdf.exe
-
Size
522KB
-
MD5
88fba5ee75304db402d27f5528bbadc9
-
SHA1
f236266e0adc847c9b8cbd5e3fd5855557fcaef3
-
SHA256
e85b47fdc03f66a6fe5f7c46240c0a1d441715dd99a5f4b12053b3c7e1329359
-
SHA512
56258600c5d07cbbf4275ec93b42d2ce391419d40f49f8a3271a6c36660991ff293e7da831f3d43aee2488c416194fabdee3b3d895cc47b1c02f7df6d0f69989
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.shopalldealsnow.com - Port:
25 - Username:
[email protected] - Password:
xB&jr&O+iYP@
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 checkip.dyndns.org 9 freegeoip.app 10 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Scan003000494 pdf.exedescription pid process target process PID 288 set thread context of 888 288 Scan003000494 pdf.exe Scan003000494 pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Scan003000494 pdf.exeScan003000494 pdf.exepid process 288 Scan003000494 pdf.exe 288 Scan003000494 pdf.exe 288 Scan003000494 pdf.exe 888 Scan003000494 pdf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Scan003000494 pdf.exeScan003000494 pdf.exedescription pid process Token: SeDebugPrivilege 288 Scan003000494 pdf.exe Token: SeDebugPrivilege 888 Scan003000494 pdf.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Scan003000494 pdf.exepid process 888 Scan003000494 pdf.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Scan003000494 pdf.exedescription pid process target process PID 288 wrote to memory of 768 288 Scan003000494 pdf.exe schtasks.exe PID 288 wrote to memory of 768 288 Scan003000494 pdf.exe schtasks.exe PID 288 wrote to memory of 768 288 Scan003000494 pdf.exe schtasks.exe PID 288 wrote to memory of 768 288 Scan003000494 pdf.exe schtasks.exe PID 288 wrote to memory of 848 288 Scan003000494 pdf.exe Scan003000494 pdf.exe PID 288 wrote to memory of 848 288 Scan003000494 pdf.exe Scan003000494 pdf.exe PID 288 wrote to memory of 848 288 Scan003000494 pdf.exe Scan003000494 pdf.exe PID 288 wrote to memory of 848 288 Scan003000494 pdf.exe Scan003000494 pdf.exe PID 288 wrote to memory of 888 288 Scan003000494 pdf.exe Scan003000494 pdf.exe PID 288 wrote to memory of 888 288 Scan003000494 pdf.exe Scan003000494 pdf.exe PID 288 wrote to memory of 888 288 Scan003000494 pdf.exe Scan003000494 pdf.exe PID 288 wrote to memory of 888 288 Scan003000494 pdf.exe Scan003000494 pdf.exe PID 288 wrote to memory of 888 288 Scan003000494 pdf.exe Scan003000494 pdf.exe PID 288 wrote to memory of 888 288 Scan003000494 pdf.exe Scan003000494 pdf.exe PID 288 wrote to memory of 888 288 Scan003000494 pdf.exe Scan003000494 pdf.exe PID 288 wrote to memory of 888 288 Scan003000494 pdf.exe Scan003000494 pdf.exe PID 288 wrote to memory of 888 288 Scan003000494 pdf.exe Scan003000494 pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Scan003000494 pdf.exe"C:\Users\Admin\AppData\Local\Temp\Scan003000494 pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AkibryvoCZQBUq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp44CD.tmp"2⤵
- Creates scheduled task(s)
PID:768 -
C:\Users\Admin\AppData\Local\Temp\Scan003000494 pdf.exe"{path}"2⤵PID:848
-
C:\Users\Admin\AppData\Local\Temp\Scan003000494 pdf.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:888
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp44CD.tmpMD5
c8954e9f2d17d707016031207cec16ad
SHA1544765e71c981f8ddf41aa4070c7e7f6836c6652
SHA256f448c7c6a073fc47467180332f1a030cc76041b1e3b2bcba6364ce125e6f0d5d
SHA512610a7bdbec0f9fc215c9af00535665584081c55e2e819635b094ad725c8d34c16cd914c5466fe3d0b6fa3d018cb14bd09dacc6afb6931493fe5141c51fd08213
-
memory/288-59-0x0000000000830000-0x0000000000831000-memory.dmpFilesize
4KB
-
memory/288-61-0x0000000001DC0000-0x0000000001E05000-memory.dmpFilesize
276KB
-
memory/288-62-0x0000000004970000-0x0000000004971000-memory.dmpFilesize
4KB
-
memory/288-63-0x0000000001CE0000-0x0000000001CE2000-memory.dmpFilesize
8KB
-
memory/288-64-0x0000000004A10000-0x0000000004A79000-memory.dmpFilesize
420KB
-
memory/288-65-0x0000000002090000-0x00000000020B0000-memory.dmpFilesize
128KB
-
memory/768-66-0x0000000000000000-mapping.dmp
-
memory/888-68-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/888-69-0x000000000041F94E-mapping.dmp
-
memory/888-70-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/888-72-0x00000000049D0000-0x00000000049D1000-memory.dmpFilesize
4KB