Analysis
-
max time kernel
120s -
max time network
168s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
20-10-2021 19:46
Static task
static1
Behavioral task
behavioral1
Sample
ISO-77002387418311pdf.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
ISO-77002387418311pdf.exe
Resource
win10-en-20211014
General
-
Target
ISO-77002387418311pdf.exe
-
Size
858KB
-
MD5
2ea15aa68317ad61bdcff453f0750281
-
SHA1
10bfcd418e65f26a49f8c8c589352872d32d0492
-
SHA256
20351bfb18a4c774795e240a1a143754493ce9c89edf007c5cb110e4bce447a9
-
SHA512
5b92dfebaffc4c4fefd0ea0bbd85f6add5480f4039d5b940e26c2ade527719e73acf77302bf5853864d7ed0243af09b2f15b58312d1c0a6f62e6bae29c01b7e8
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
restd.xyz - Port:
587 - Username:
amp@netjul.club - Password:
gg@6{ZL65h,*
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Executes dropped EXE 1 IoCs
Processes:
dfxzdg.exepid process 628 dfxzdg.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
vbc.exevbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org 8 freegeoip.app 9 freegeoip.app 14 freegeoip.app -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ISO-77002387418311pdf.exedfxzdg.exedescription pid process target process PID 1428 set thread context of 592 1428 ISO-77002387418311pdf.exe vbc.exe PID 628 set thread context of 932 628 dfxzdg.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1420 schtasks.exe 1748 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exevbc.exepid process 592 vbc.exe 932 vbc.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
ISO-77002387418311pdf.exevbc.exedfxzdg.exevbc.exedescription pid process Token: SeDebugPrivilege 1428 ISO-77002387418311pdf.exe Token: SeDebugPrivilege 592 vbc.exe Token: SeDebugPrivilege 628 dfxzdg.exe Token: SeDebugPrivilege 932 vbc.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
ISO-77002387418311pdf.execmd.exetaskeng.exedfxzdg.execmd.exedescription pid process target process PID 1428 wrote to memory of 592 1428 ISO-77002387418311pdf.exe vbc.exe PID 1428 wrote to memory of 592 1428 ISO-77002387418311pdf.exe vbc.exe PID 1428 wrote to memory of 592 1428 ISO-77002387418311pdf.exe vbc.exe PID 1428 wrote to memory of 592 1428 ISO-77002387418311pdf.exe vbc.exe PID 1428 wrote to memory of 592 1428 ISO-77002387418311pdf.exe vbc.exe PID 1428 wrote to memory of 592 1428 ISO-77002387418311pdf.exe vbc.exe PID 1428 wrote to memory of 592 1428 ISO-77002387418311pdf.exe vbc.exe PID 1428 wrote to memory of 592 1428 ISO-77002387418311pdf.exe vbc.exe PID 1428 wrote to memory of 592 1428 ISO-77002387418311pdf.exe vbc.exe PID 1428 wrote to memory of 1648 1428 ISO-77002387418311pdf.exe cmd.exe PID 1428 wrote to memory of 1648 1428 ISO-77002387418311pdf.exe cmd.exe PID 1428 wrote to memory of 1648 1428 ISO-77002387418311pdf.exe cmd.exe PID 1428 wrote to memory of 1648 1428 ISO-77002387418311pdf.exe cmd.exe PID 1428 wrote to memory of 700 1428 ISO-77002387418311pdf.exe cmd.exe PID 1428 wrote to memory of 700 1428 ISO-77002387418311pdf.exe cmd.exe PID 1428 wrote to memory of 700 1428 ISO-77002387418311pdf.exe cmd.exe PID 1428 wrote to memory of 700 1428 ISO-77002387418311pdf.exe cmd.exe PID 1648 wrote to memory of 1420 1648 cmd.exe schtasks.exe PID 1648 wrote to memory of 1420 1648 cmd.exe schtasks.exe PID 1648 wrote to memory of 1420 1648 cmd.exe schtasks.exe PID 1648 wrote to memory of 1420 1648 cmd.exe schtasks.exe PID 1468 wrote to memory of 628 1468 taskeng.exe dfxzdg.exe PID 1468 wrote to memory of 628 1468 taskeng.exe dfxzdg.exe PID 1468 wrote to memory of 628 1468 taskeng.exe dfxzdg.exe PID 1468 wrote to memory of 628 1468 taskeng.exe dfxzdg.exe PID 628 wrote to memory of 932 628 dfxzdg.exe vbc.exe PID 628 wrote to memory of 932 628 dfxzdg.exe vbc.exe PID 628 wrote to memory of 932 628 dfxzdg.exe vbc.exe PID 628 wrote to memory of 932 628 dfxzdg.exe vbc.exe PID 628 wrote to memory of 932 628 dfxzdg.exe vbc.exe PID 628 wrote to memory of 932 628 dfxzdg.exe vbc.exe PID 628 wrote to memory of 932 628 dfxzdg.exe vbc.exe PID 628 wrote to memory of 932 628 dfxzdg.exe vbc.exe PID 628 wrote to memory of 932 628 dfxzdg.exe vbc.exe PID 628 wrote to memory of 1588 628 dfxzdg.exe cmd.exe PID 628 wrote to memory of 1588 628 dfxzdg.exe cmd.exe PID 628 wrote to memory of 1588 628 dfxzdg.exe cmd.exe PID 628 wrote to memory of 1588 628 dfxzdg.exe cmd.exe PID 628 wrote to memory of 1992 628 dfxzdg.exe cmd.exe PID 628 wrote to memory of 1992 628 dfxzdg.exe cmd.exe PID 628 wrote to memory of 1992 628 dfxzdg.exe cmd.exe PID 628 wrote to memory of 1992 628 dfxzdg.exe cmd.exe PID 1588 wrote to memory of 1748 1588 cmd.exe schtasks.exe PID 1588 wrote to memory of 1748 1588 cmd.exe schtasks.exe PID 1588 wrote to memory of 1748 1588 cmd.exe schtasks.exe PID 1588 wrote to memory of 1748 1588 cmd.exe schtasks.exe -
outlook_office_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe -
outlook_win_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ISO-77002387418311pdf.exe"C:\Users\Admin\AppData\Local\Temp\ISO-77002387418311pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\ISO-77002387418311pdf.exe" "C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe"2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {57B41289-16E8-49FB-A134-AE5778DF3BED} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exeC:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe" "C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f4⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exeMD5
2ea15aa68317ad61bdcff453f0750281
SHA110bfcd418e65f26a49f8c8c589352872d32d0492
SHA25620351bfb18a4c774795e240a1a143754493ce9c89edf007c5cb110e4bce447a9
SHA5125b92dfebaffc4c4fefd0ea0bbd85f6add5480f4039d5b940e26c2ade527719e73acf77302bf5853864d7ed0243af09b2f15b58312d1c0a6f62e6bae29c01b7e8
-
C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exeMD5
2ea15aa68317ad61bdcff453f0750281
SHA110bfcd418e65f26a49f8c8c589352872d32d0492
SHA25620351bfb18a4c774795e240a1a143754493ce9c89edf007c5cb110e4bce447a9
SHA5125b92dfebaffc4c4fefd0ea0bbd85f6add5480f4039d5b940e26c2ade527719e73acf77302bf5853864d7ed0243af09b2f15b58312d1c0a6f62e6bae29c01b7e8
-
memory/592-60-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/592-57-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/592-59-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/592-58-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/592-61-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/592-62-0x00000000004203EE-mapping.dmp
-
memory/592-63-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/592-68-0x00000000005D0000-0x00000000005D1000-memory.dmpFilesize
4KB
-
memory/628-74-0x0000000004D00000-0x0000000004D01000-memory.dmpFilesize
4KB
-
memory/628-70-0x0000000000000000-mapping.dmp
-
memory/628-72-0x0000000000B30000-0x0000000000B31000-memory.dmpFilesize
4KB
-
memory/700-66-0x0000000000000000-mapping.dmp
-
memory/932-86-0x0000000004D30000-0x0000000004D31000-memory.dmpFilesize
4KB
-
memory/932-80-0x00000000004203EE-mapping.dmp
-
memory/1420-67-0x0000000000000000-mapping.dmp
-
memory/1428-54-0x0000000000D50000-0x0000000000D51000-memory.dmpFilesize
4KB
-
memory/1428-56-0x00000000022B0000-0x00000000022B1000-memory.dmpFilesize
4KB
-
memory/1588-83-0x0000000000000000-mapping.dmp
-
memory/1648-65-0x0000000000000000-mapping.dmp
-
memory/1748-85-0x0000000000000000-mapping.dmp
-
memory/1992-84-0x0000000000000000-mapping.dmp