Analysis
-
max time kernel
117s -
max time network
123s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 05:56
Static task
static1
Behavioral task
behavioral1
Sample
doc2019291888001990.pdf.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
doc2019291888001990.pdf.exe
Resource
win10-en-20211014
General
-
Target
doc2019291888001990.pdf.exe
-
Size
13KB
-
MD5
3d18d2aac131785618c05c974240a2e0
-
SHA1
59ced83454905b1355abb7f8a9db626794e9fa90
-
SHA256
68ef3fd87db02762f5bc7d604354cd0dee06df1c6c8eb0b05e04dec272b72dfe
-
SHA512
14c497b7abc723d55a75a2a56efa298f7452766dcbf298deac7c1a43e0be549e289b8439510624e6a981d662ea5a77df36a7cc8f31747b71cd4003b211727593
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.mebareklam.com.tr - Port:
587 - Username:
meba@mebareklam.com.tr - Password:
%2Ar34qs
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Nirsoft 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\6b2fe935-5718-4124-87ae-67fddd137488\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\6b2fe935-5718-4124-87ae-67fddd137488\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\6b2fe935-5718-4124-87ae-67fddd137488\AdvancedRun.exe Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exepid process 1904 AdvancedRun.exe 1528 AdvancedRun.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
doc2019291888001990.pdf.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" doc2019291888001990.pdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features doc2019291888001990.pdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths doc2019291888001990.pdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions doc2019291888001990.pdf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\doc2019291888001990.pdf.exe = "0" doc2019291888001990.pdf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" doc2019291888001990.pdf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" doc2019291888001990.pdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection doc2019291888001990.pdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet doc2019291888001990.pdf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" doc2019291888001990.pdf.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
doc2019291888001990.pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 doc2019291888001990.pdf.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 doc2019291888001990.pdf.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 doc2019291888001990.pdf.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 19 checkip.dyndns.org 22 freegeoip.app 23 freegeoip.app -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exedoc2019291888001990.pdf.exepowershell.exepid process 1904 AdvancedRun.exe 1904 AdvancedRun.exe 1904 AdvancedRun.exe 1904 AdvancedRun.exe 1528 AdvancedRun.exe 1528 AdvancedRun.exe 1528 AdvancedRun.exe 1528 AdvancedRun.exe 1556 doc2019291888001990.pdf.exe 3780 powershell.exe 3780 powershell.exe 3780 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
doc2019291888001990.pdf.exeAdvancedRun.exeAdvancedRun.exepowershell.exedescription pid process Token: SeDebugPrivilege 1556 doc2019291888001990.pdf.exe Token: SeDebugPrivilege 1904 AdvancedRun.exe Token: SeImpersonatePrivilege 1904 AdvancedRun.exe Token: SeDebugPrivilege 1528 AdvancedRun.exe Token: SeImpersonatePrivilege 1528 AdvancedRun.exe Token: SeDebugPrivilege 3780 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
doc2019291888001990.pdf.exeAdvancedRun.exedescription pid process target process PID 1556 wrote to memory of 1904 1556 doc2019291888001990.pdf.exe AdvancedRun.exe PID 1556 wrote to memory of 1904 1556 doc2019291888001990.pdf.exe AdvancedRun.exe PID 1556 wrote to memory of 1904 1556 doc2019291888001990.pdf.exe AdvancedRun.exe PID 1904 wrote to memory of 1528 1904 AdvancedRun.exe AdvancedRun.exe PID 1904 wrote to memory of 1528 1904 AdvancedRun.exe AdvancedRun.exe PID 1904 wrote to memory of 1528 1904 AdvancedRun.exe AdvancedRun.exe PID 1556 wrote to memory of 3780 1556 doc2019291888001990.pdf.exe powershell.exe PID 1556 wrote to memory of 3780 1556 doc2019291888001990.pdf.exe powershell.exe PID 1556 wrote to memory of 3780 1556 doc2019291888001990.pdf.exe powershell.exe -
outlook_office_path 1 IoCs
Processes:
doc2019291888001990.pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 doc2019291888001990.pdf.exe -
outlook_win_path 1 IoCs
Processes:
doc2019291888001990.pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 doc2019291888001990.pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\doc2019291888001990.pdf.exe"C:\Users\Admin\AppData\Local\Temp\doc2019291888001990.pdf.exe"1⤵
- Windows security modification
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\6b2fe935-5718-4124-87ae-67fddd137488\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\6b2fe935-5718-4124-87ae-67fddd137488\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\6b2fe935-5718-4124-87ae-67fddd137488\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6b2fe935-5718-4124-87ae-67fddd137488\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\6b2fe935-5718-4124-87ae-67fddd137488\AdvancedRun.exe" /SpecialRun 4101d8 19043⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\doc2019291888001990.pdf.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\6b2fe935-5718-4124-87ae-67fddd137488\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\6b2fe935-5718-4124-87ae-67fddd137488\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\6b2fe935-5718-4124-87ae-67fddd137488\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
memory/1528-126-0x0000000000000000-mapping.dmp
-
memory/1556-121-0x0000000005400000-0x000000000546A000-memory.dmpFilesize
424KB
-
memory/1556-122-0x0000000005970000-0x0000000005971000-memory.dmpFilesize
4KB
-
memory/1556-120-0x00000000048C0000-0x00000000048C1000-memory.dmpFilesize
4KB
-
memory/1556-117-0x0000000004970000-0x0000000004971000-memory.dmpFilesize
4KB
-
memory/1556-115-0x0000000000040000-0x0000000000041000-memory.dmpFilesize
4KB
-
memory/1556-138-0x00000000060D0000-0x00000000060D1000-memory.dmpFilesize
4KB
-
memory/1556-129-0x00000000054C0000-0x00000000054DF000-memory.dmpFilesize
124KB
-
memory/1556-137-0x0000000006110000-0x0000000006111000-memory.dmpFilesize
4KB
-
memory/1556-136-0x0000000006240000-0x0000000006241000-memory.dmpFilesize
4KB
-
memory/1904-123-0x0000000000000000-mapping.dmp
-
memory/3780-134-0x0000000007170000-0x0000000007171000-memory.dmpFilesize
4KB
-
memory/3780-143-0x0000000008490000-0x0000000008491000-memory.dmpFilesize
4KB
-
memory/3780-132-0x00000000070F0000-0x00000000070F1000-memory.dmpFilesize
4KB
-
memory/3780-135-0x0000000007172000-0x0000000007173000-memory.dmpFilesize
4KB
-
memory/3780-131-0x0000000004BF0000-0x0000000004BF1000-memory.dmpFilesize
4KB
-
memory/3780-130-0x0000000004BF0000-0x0000000004BF1000-memory.dmpFilesize
4KB
-
memory/3780-128-0x0000000000000000-mapping.dmp
-
memory/3780-139-0x0000000007E30000-0x0000000007E31000-memory.dmpFilesize
4KB
-
memory/3780-140-0x0000000007FB0000-0x0000000007FB1000-memory.dmpFilesize
4KB
-
memory/3780-141-0x0000000007ED0000-0x0000000007ED1000-memory.dmpFilesize
4KB
-
memory/3780-142-0x0000000008120000-0x0000000008121000-memory.dmpFilesize
4KB
-
memory/3780-133-0x00000000077B0000-0x00000000077B1000-memory.dmpFilesize
4KB
-
memory/3780-144-0x00000000089D0000-0x00000000089D1000-memory.dmpFilesize
4KB
-
memory/3780-145-0x00000000088B0000-0x00000000088B1000-memory.dmpFilesize
4KB
-
memory/3780-146-0x0000000004BF0000-0x0000000004BF1000-memory.dmpFilesize
4KB
-
memory/3780-153-0x0000000009650000-0x0000000009683000-memory.dmpFilesize
204KB
-
memory/3780-160-0x0000000009630000-0x0000000009631000-memory.dmpFilesize
4KB
-
memory/3780-165-0x00000000097A0000-0x00000000097A1000-memory.dmpFilesize
4KB
-
memory/3780-166-0x0000000009C10000-0x0000000009C11000-memory.dmpFilesize
4KB
-
memory/3780-169-0x000000007F8E0000-0x000000007F8E1000-memory.dmpFilesize
4KB
-
memory/3780-170-0x0000000007173000-0x0000000007174000-memory.dmpFilesize
4KB