Overview

overview

10

Static

static

doc2019291...df.exe

windows7_x64

10

doc2019291...df.exe

windows10_x64

10

Analysis

  • max time kernel
    117s
  • max time network
    123s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    21-10-2021 05:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    doc2019291888001990.pdf.exe

  • Size

    13KB

  • MD5

    3d18d2aac131785618c05c974240a2e0

  • SHA1

    59ced83454905b1355abb7f8a9db626794e9fa90

  • SHA256

    68ef3fd87db02762f5bc7d604354cd0dee06df1c6c8eb0b05e04dec272b72dfe

  • SHA512

    14c497b7abc723d55a75a2a56efa298f7452766dcbf298deac7c1a43e0be549e289b8439510624e6a981d662ea5a77df36a7cc8f31747b71cd4003b211727593

Score
10/10
snakekeyloggercollectionevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    mail.mebareklam.com.tr
  • Port:
    587
  • Username:
    meba@mebareklam.com.tr
  • Password:
    %2Ar34qs

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Turns off Windows Defender SpyNet reporting 2 TTPs
    evasion
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Nirsoft 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 10 IoCs
    evasiontrojan
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\doc2019291888001990.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\doc2019291888001990.pdf.exe"
    1⤵
    • Windows security modification
    • Accesses Microsoft Outlook profiles
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:1556
    • C:\Users\Admin\AppData\Local\Temp\6b2fe935-5718-4124-87ae-67fddd137488\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\6b2fe935-5718-4124-87ae-67fddd137488\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\6b2fe935-5718-4124-87ae-67fddd137488\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1904
      • C:\Users\Admin\AppData\Local\Temp\6b2fe935-5718-4124-87ae-67fddd137488\AdvancedRun.exe
        "C:\Users\Admin\AppData\Local\Temp\6b2fe935-5718-4124-87ae-67fddd137488\AdvancedRun.exe" /SpecialRun 4101d8 1904
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1528
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\doc2019291888001990.pdf.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

3
T1089

Modify Registry

3
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\6b2fe935-5718-4124-87ae-67fddd137488\AdvancedRun.exe
    MD5

    17fc12902f4769af3a9271eb4e2dacce

    SHA1

    9a4a1581cc3971579574f837e110f3bd6d529dab

    SHA256

    29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

    SHA512

    036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\6b2fe935-5718-4124-87ae-67fddd137488\AdvancedRun.exe
    MD5

    17fc12902f4769af3a9271eb4e2dacce

    SHA1

    9a4a1581cc3971579574f837e110f3bd6d529dab

    SHA256

    29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

    SHA512

    036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\6b2fe935-5718-4124-87ae-67fddd137488\AdvancedRun.exe
    MD5

    17fc12902f4769af3a9271eb4e2dacce

    SHA1

    9a4a1581cc3971579574f837e110f3bd6d529dab

    SHA256

    29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

    SHA512

    036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

    Download Submit
  • memory/1528-126-0x0000000000000000-mapping.dmp
    Download
  • memory/1556-121-0x0000000005400000-0x000000000546A000-memory.dmp
    Filesize

    424KB

    Download
  • memory/1556-122-0x0000000005970000-0x0000000005971000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1556-120-0x00000000048C0000-0x00000000048C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1556-117-0x0000000004970000-0x0000000004971000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1556-115-0x0000000000040000-0x0000000000041000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1556-138-0x00000000060D0000-0x00000000060D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1556-129-0x00000000054C0000-0x00000000054DF000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1556-137-0x0000000006110000-0x0000000006111000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1556-136-0x0000000006240000-0x0000000006241000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1904-123-0x0000000000000000-mapping.dmp
    Download
  • memory/3780-134-0x0000000007170000-0x0000000007171000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3780-143-0x0000000008490000-0x0000000008491000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3780-132-0x00000000070F0000-0x00000000070F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3780-135-0x0000000007172000-0x0000000007173000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3780-131-0x0000000004BF0000-0x0000000004BF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3780-130-0x0000000004BF0000-0x0000000004BF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3780-128-0x0000000000000000-mapping.dmp
    Download
  • memory/3780-139-0x0000000007E30000-0x0000000007E31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3780-140-0x0000000007FB0000-0x0000000007FB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3780-141-0x0000000007ED0000-0x0000000007ED1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3780-142-0x0000000008120000-0x0000000008121000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3780-133-0x00000000077B0000-0x00000000077B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3780-144-0x00000000089D0000-0x00000000089D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3780-145-0x00000000088B0000-0x00000000088B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3780-146-0x0000000004BF0000-0x0000000004BF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3780-153-0x0000000009650000-0x0000000009683000-memory.dmp
    Filesize

    204KB

    Download
  • memory/3780-160-0x0000000009630000-0x0000000009631000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3780-165-0x00000000097A0000-0x00000000097A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3780-166-0x0000000009C10000-0x0000000009C11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3780-169-0x000000007F8E0000-0x000000007F8E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3780-170-0x0000000007173000-0x0000000007174000-memory.dmp
    Filesize

    4KB

    Download