Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
28-09-2021 05:49
Static task
static1
Behavioral task
behavioral1
Sample
RFQ Document.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
RFQ Document.exe
Resource
win10-en-20210920
General
-
Target
RFQ Document.exe
-
Size
336KB
-
MD5
64468b2ab541687572ce6b435b41f2bd
-
SHA1
893ae234d351c762ab388a7337c625e4b213da6e
-
SHA256
d3ac98cf64ca2fca455b2e4f002c3381bcee699cf64bbfaa076222209f834b1a
-
SHA512
317c14df6c6d1dd3b120a28743eface80474d7140515d61d0a00c326a923f56c71d7135907e2c2d5f17cba1b5746bb19ae5262cf656a098ebd94adba82cc2db8
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot1926537393:AAHGSUhtLeQU8qms_2blDH9qpvo-fEuwi9E/sendMessage?chat_id=1664748411
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Loads dropped DLL 1 IoCs
Processes:
RFQ Document.exepid process 1828 RFQ Document.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 freegeoip.app 9 freegeoip.app 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RFQ Document.exedescription pid process target process PID 1828 set thread context of 1868 1828 RFQ Document.exe RFQ Document.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
RFQ Document.exepid process 1868 RFQ Document.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RFQ Document.exedescription pid process Token: SeDebugPrivilege 1868 RFQ Document.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
RFQ Document.exedescription pid process target process PID 1828 wrote to memory of 1868 1828 RFQ Document.exe RFQ Document.exe PID 1828 wrote to memory of 1868 1828 RFQ Document.exe RFQ Document.exe PID 1828 wrote to memory of 1868 1828 RFQ Document.exe RFQ Document.exe PID 1828 wrote to memory of 1868 1828 RFQ Document.exe RFQ Document.exe PID 1828 wrote to memory of 1868 1828 RFQ Document.exe RFQ Document.exe PID 1828 wrote to memory of 1868 1828 RFQ Document.exe RFQ Document.exe PID 1828 wrote to memory of 1868 1828 RFQ Document.exe RFQ Document.exe PID 1828 wrote to memory of 1868 1828 RFQ Document.exe RFQ Document.exe PID 1828 wrote to memory of 1868 1828 RFQ Document.exe RFQ Document.exe PID 1828 wrote to memory of 1868 1828 RFQ Document.exe RFQ Document.exe PID 1828 wrote to memory of 1868 1828 RFQ Document.exe RFQ Document.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ Document.exe"C:\Users\Admin\AppData\Local\Temp\RFQ Document.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RFQ Document.exe"C:\Users\Admin\AppData\Local\Temp\RFQ Document.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsl9EA0.tmp\tkwj.dllMD5
a4b645ed197074158d7159bd47fa101b
SHA1e50e421afba9603d2e57137ff72aca6256c14cf1
SHA25615aef55d8e9f0d4ad435e111dc346fdeb294a77ea06b8b053424b11c3cd6fbcd
SHA5123cc5e9fd59dfd4e40f691d3de9f5b9c809f5c4a3643d03606133cc608619923f96e4058598572bc716bfae70173c50afdd74c32a1d258ab036f3da847eb86155
-
memory/1828-60-0x00000000762C1000-0x00000000762C3000-memory.dmpFilesize
8KB
-
memory/1868-62-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1868-63-0x000000000040188B-mapping.dmp
-
memory/1868-65-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1868-66-0x0000000001E10000-0x0000000001E46000-memory.dmpFilesize
216KB
-
memory/1868-69-0x0000000004542000-0x0000000004543000-memory.dmpFilesize
4KB
-
memory/1868-68-0x0000000004541000-0x0000000004542000-memory.dmpFilesize
4KB
-
memory/1868-70-0x0000000004543000-0x0000000004544000-memory.dmpFilesize
4KB
-
memory/1868-71-0x0000000004544000-0x0000000004545000-memory.dmpFilesize
4KB