Overview
overview
10Static
static
8BL. NO. AN...21.exe
windows7_x64
10BL. NO. AN...21.exe
windows10_x64
10Sample_101...mg.exe
windows7_x64
10Sample_101...mg.exe
windows10_x64
10Invoice 19...df.exe
windows7_x64
1Invoice 19...df.exe
windows10_x64
10Leak/PROFO...CE.doc
windows7_x64
10Leak/PROFO...CE.doc
windows10_x64
1Payment re...df.exe
windows7_x64
10Payment re...df.exe
windows10_x64
10Leak/Profo...mg.xls
windows7_x64
10Leak/Profo...mg.xls
windows10_x64
10Analysis
-
max time kernel
600s -
max time network
607s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
26-10-2021 07:00
Static task
static1
Behavioral task
behavioral1
Sample
BL. NO. ANSMUNDAR3621.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
BL. NO. ANSMUNDAR3621.exe
Resource
win10-en-20210920
Behavioral task
behavioral3
Sample
Sample_10120351200_ISO_035117img.exe
Resource
win7-en-20210920
Behavioral task
behavioral4
Sample
Sample_10120351200_ISO_035117img.exe
Resource
win10-en-20211014
Behavioral task
behavioral5
Sample
Invoice 1905-20-1907-20.pdf.exe
Resource
win7-en-20210920
Behavioral task
behavioral6
Sample
Invoice 1905-20-1907-20.pdf.exe
Resource
win10-en-20211014
Behavioral task
behavioral7
Sample
Leak/PROFORMA INVOICE.doc
Resource
win7-en-20210920
Behavioral task
behavioral8
Sample
Leak/PROFORMA INVOICE.doc
Resource
win10-en-20211014
Behavioral task
behavioral9
Sample
Payment receipt.pdf.exe
Resource
win7-en-20210920
Behavioral task
behavioral10
Sample
Payment receipt.pdf.exe
Resource
win10-en-20210920
Behavioral task
behavioral11
Sample
Leak/Proforma invoice35117img.xls
Resource
win7-en-20211014
Behavioral task
behavioral12
Sample
Leak/Proforma invoice35117img.xls
Resource
win10-en-20210920
General
-
Target
Sample_10120351200_ISO_035117img.exe
-
Size
833KB
-
MD5
0d20e6334179eeadad75c218d0d9dca2
-
SHA1
ab19c8e05121be1bfed70591477610cd12e066ab
-
SHA256
8b94440478e3c9fd0991d121ef5ab7144425da4b074a65d93fd9111a515c0b8e
-
SHA512
3f5672aafefbaf9156a0cda170360eb5fa43e1907e7966c041c2f870a2af0494bc9315c57fb85840ce3e7b4c02c7bfe5b85c023d8759c26da5605a0762d800fd
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
ilbgone.cyou - Port:
587 - Username:
[email protected] - Password:
H3c8T~{Vz%IH
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Executes dropped EXE 1 IoCs
Processes:
update.exepid process 1512 update.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
vbc.exevbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org 9 freegeoip.app 10 freegeoip.app 16 freegeoip.app -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Sample_10120351200_ISO_035117img.exeupdate.exedescription pid process target process PID 1728 set thread context of 1828 1728 Sample_10120351200_ISO_035117img.exe vbc.exe PID 1512 set thread context of 1632 1512 update.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exevbc.exepid process 1828 vbc.exe 1632 vbc.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Sample_10120351200_ISO_035117img.exevbc.exeupdate.exevbc.exedescription pid process Token: SeDebugPrivilege 1728 Sample_10120351200_ISO_035117img.exe Token: SeDebugPrivilege 1828 vbc.exe Token: SeDebugPrivilege 1512 update.exe Token: SeDebugPrivilege 1632 vbc.exe -
Suspicious use of WriteProcessMemory 49 IoCs
Processes:
Sample_10120351200_ISO_035117img.execmd.exetaskeng.exeupdate.execmd.exedescription pid process target process PID 1728 wrote to memory of 1828 1728 Sample_10120351200_ISO_035117img.exe vbc.exe PID 1728 wrote to memory of 1828 1728 Sample_10120351200_ISO_035117img.exe vbc.exe PID 1728 wrote to memory of 1828 1728 Sample_10120351200_ISO_035117img.exe vbc.exe PID 1728 wrote to memory of 1828 1728 Sample_10120351200_ISO_035117img.exe vbc.exe PID 1728 wrote to memory of 1828 1728 Sample_10120351200_ISO_035117img.exe vbc.exe PID 1728 wrote to memory of 1828 1728 Sample_10120351200_ISO_035117img.exe vbc.exe PID 1728 wrote to memory of 1828 1728 Sample_10120351200_ISO_035117img.exe vbc.exe PID 1728 wrote to memory of 1828 1728 Sample_10120351200_ISO_035117img.exe vbc.exe PID 1728 wrote to memory of 1828 1728 Sample_10120351200_ISO_035117img.exe vbc.exe PID 1728 wrote to memory of 748 1728 Sample_10120351200_ISO_035117img.exe cmd.exe PID 1728 wrote to memory of 748 1728 Sample_10120351200_ISO_035117img.exe cmd.exe PID 1728 wrote to memory of 748 1728 Sample_10120351200_ISO_035117img.exe cmd.exe PID 1728 wrote to memory of 748 1728 Sample_10120351200_ISO_035117img.exe cmd.exe PID 1728 wrote to memory of 948 1728 Sample_10120351200_ISO_035117img.exe cmd.exe PID 1728 wrote to memory of 948 1728 Sample_10120351200_ISO_035117img.exe cmd.exe PID 1728 wrote to memory of 948 1728 Sample_10120351200_ISO_035117img.exe cmd.exe PID 1728 wrote to memory of 948 1728 Sample_10120351200_ISO_035117img.exe cmd.exe PID 748 wrote to memory of 1428 748 cmd.exe schtasks.exe PID 748 wrote to memory of 1428 748 cmd.exe schtasks.exe PID 748 wrote to memory of 1428 748 cmd.exe schtasks.exe PID 748 wrote to memory of 1428 748 cmd.exe schtasks.exe PID 560 wrote to memory of 1512 560 taskeng.exe update.exe PID 560 wrote to memory of 1512 560 taskeng.exe update.exe PID 560 wrote to memory of 1512 560 taskeng.exe update.exe PID 560 wrote to memory of 1512 560 taskeng.exe update.exe PID 560 wrote to memory of 1512 560 taskeng.exe update.exe PID 560 wrote to memory of 1512 560 taskeng.exe update.exe PID 560 wrote to memory of 1512 560 taskeng.exe update.exe PID 1512 wrote to memory of 1632 1512 update.exe vbc.exe PID 1512 wrote to memory of 1632 1512 update.exe vbc.exe PID 1512 wrote to memory of 1632 1512 update.exe vbc.exe PID 1512 wrote to memory of 1632 1512 update.exe vbc.exe PID 1512 wrote to memory of 1632 1512 update.exe vbc.exe PID 1512 wrote to memory of 1632 1512 update.exe vbc.exe PID 1512 wrote to memory of 1632 1512 update.exe vbc.exe PID 1512 wrote to memory of 1632 1512 update.exe vbc.exe PID 1512 wrote to memory of 1632 1512 update.exe vbc.exe PID 1512 wrote to memory of 916 1512 update.exe cmd.exe PID 1512 wrote to memory of 916 1512 update.exe cmd.exe PID 1512 wrote to memory of 916 1512 update.exe cmd.exe PID 1512 wrote to memory of 916 1512 update.exe cmd.exe PID 1512 wrote to memory of 1568 1512 update.exe cmd.exe PID 1512 wrote to memory of 1568 1512 update.exe cmd.exe PID 1512 wrote to memory of 1568 1512 update.exe cmd.exe PID 1512 wrote to memory of 1568 1512 update.exe cmd.exe PID 916 wrote to memory of 644 916 cmd.exe schtasks.exe PID 916 wrote to memory of 644 916 cmd.exe schtasks.exe PID 916 wrote to memory of 644 916 cmd.exe schtasks.exe PID 916 wrote to memory of 644 916 cmd.exe schtasks.exe -
outlook_office_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe -
outlook_win_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Sample_10120351200_ISO_035117img.exe"C:\Users\Admin\AppData\Local\Temp\Sample_10120351200_ISO_035117img.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\update\update.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\update\update.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\Sample_10120351200_ISO_035117img.exe" "C:\Users\Admin\AppData\Roaming\update\update.exe"2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {9567D6E8-3AE5-4CD2-BF99-BB32F6277D0E} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\update\update.exeC:\Users\Admin\AppData\Roaming\update\update.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\update\update.exe'" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\update\update.exe'" /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\update\update.exe" "C:\Users\Admin\AppData\Roaming\update\update.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\update\update.exeMD5
0d20e6334179eeadad75c218d0d9dca2
SHA1ab19c8e05121be1bfed70591477610cd12e066ab
SHA2568b94440478e3c9fd0991d121ef5ab7144425da4b074a65d93fd9111a515c0b8e
SHA5123f5672aafefbaf9156a0cda170360eb5fa43e1907e7966c041c2f870a2af0494bc9315c57fb85840ce3e7b4c02c7bfe5b85c023d8759c26da5605a0762d800fd
-
C:\Users\Admin\AppData\Roaming\update\update.exeMD5
0d20e6334179eeadad75c218d0d9dca2
SHA1ab19c8e05121be1bfed70591477610cd12e066ab
SHA2568b94440478e3c9fd0991d121ef5ab7144425da4b074a65d93fd9111a515c0b8e
SHA5123f5672aafefbaf9156a0cda170360eb5fa43e1907e7966c041c2f870a2af0494bc9315c57fb85840ce3e7b4c02c7bfe5b85c023d8759c26da5605a0762d800fd
-
memory/644-99-0x0000000000000000-mapping.dmp
-
memory/748-72-0x0000000000000000-mapping.dmp
-
memory/916-97-0x0000000000000000-mapping.dmp
-
memory/948-73-0x0000000000000000-mapping.dmp
-
memory/1428-74-0x0000000000000000-mapping.dmp
-
memory/1512-79-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/1512-77-0x0000000000000000-mapping.dmp
-
memory/1512-81-0x0000000004E30000-0x0000000004E31000-memory.dmpFilesize
4KB
-
memory/1568-98-0x0000000000000000-mapping.dmp
-
memory/1632-100-0x0000000004CB0000-0x0000000004CB1000-memory.dmpFilesize
4KB
-
memory/1632-87-0x00000000004203FE-mapping.dmp
-
memory/1728-54-0x00000000003A0000-0x00000000003A1000-memory.dmpFilesize
4KB
-
memory/1728-56-0x0000000004C70000-0x0000000004C71000-memory.dmpFilesize
4KB
-
memory/1828-61-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1828-75-0x0000000004EA0000-0x0000000004EA1000-memory.dmpFilesize
4KB
-
memory/1828-58-0x0000000000080000-0x00000000000A6000-memory.dmpFilesize
152KB
-
memory/1828-62-0x00000000004203FE-mapping.dmp
-
memory/1828-57-0x0000000000080000-0x00000000000A6000-memory.dmpFilesize
152KB
-
memory/1828-59-0x0000000000080000-0x00000000000A6000-memory.dmpFilesize
152KB
-
memory/1828-63-0x0000000000080000-0x00000000000A6000-memory.dmpFilesize
152KB
-
memory/1828-70-0x0000000000080000-0x0000000000082000-memory.dmpFilesize
8KB
-
memory/1828-60-0x0000000000080000-0x00000000000A6000-memory.dmpFilesize
152KB
-
memory/1828-69-0x0000000000080000-0x00000000000A6000-memory.dmpFilesize
152KB
-
memory/1828-66-0x0000000000080000-0x00000000000A6000-memory.dmpFilesize
152KB