Overview
overview
10Static
static
8BL. NO. AN...21.exe
windows7_x64
10BL. NO. AN...21.exe
windows10_x64
10Sample_101...mg.exe
windows7_x64
10Sample_101...mg.exe
windows10_x64
10Invoice 19...df.exe
windows7_x64
1Invoice 19...df.exe
windows10_x64
10Leak/PROFO...CE.doc
windows7_x64
10Leak/PROFO...CE.doc
windows10_x64
1Payment re...df.exe
windows7_x64
10Payment re...df.exe
windows10_x64
10Leak/Profo...mg.xls
windows7_x64
10Leak/Profo...mg.xls
windows10_x64
10Analysis
-
max time kernel
406s -
max time network
362s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
26-10-2021 07:00
Static task
static1
Behavioral task
behavioral1
Sample
BL. NO. ANSMUNDAR3621.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
BL. NO. ANSMUNDAR3621.exe
Resource
win10-en-20210920
Behavioral task
behavioral3
Sample
Sample_10120351200_ISO_035117img.exe
Resource
win7-en-20210920
Behavioral task
behavioral4
Sample
Sample_10120351200_ISO_035117img.exe
Resource
win10-en-20211014
Behavioral task
behavioral5
Sample
Invoice 1905-20-1907-20.pdf.exe
Resource
win7-en-20210920
Behavioral task
behavioral6
Sample
Invoice 1905-20-1907-20.pdf.exe
Resource
win10-en-20211014
Behavioral task
behavioral7
Sample
Leak/PROFORMA INVOICE.doc
Resource
win7-en-20210920
Behavioral task
behavioral8
Sample
Leak/PROFORMA INVOICE.doc
Resource
win10-en-20211014
Behavioral task
behavioral9
Sample
Payment receipt.pdf.exe
Resource
win7-en-20210920
Behavioral task
behavioral10
Sample
Payment receipt.pdf.exe
Resource
win10-en-20210920
Behavioral task
behavioral11
Sample
Leak/Proforma invoice35117img.xls
Resource
win7-en-20211014
Behavioral task
behavioral12
Sample
Leak/Proforma invoice35117img.xls
Resource
win10-en-20210920
General
-
Target
Sample_10120351200_ISO_035117img.exe
-
Size
833KB
-
MD5
0d20e6334179eeadad75c218d0d9dca2
-
SHA1
ab19c8e05121be1bfed70591477610cd12e066ab
-
SHA256
8b94440478e3c9fd0991d121ef5ab7144425da4b074a65d93fd9111a515c0b8e
-
SHA512
3f5672aafefbaf9156a0cda170360eb5fa43e1907e7966c041c2f870a2af0494bc9315c57fb85840ce3e7b4c02c7bfe5b85c023d8759c26da5605a0762d800fd
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
ilbgone.cyou - Port:
587 - Username:
[email protected] - Password:
H3c8T~{Vz%IH
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Executes dropped EXE 1 IoCs
Processes:
update.exepid process 2952 update.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
vbc.exevbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 checkip.dyndns.org 24 freegeoip.app 25 freegeoip.app 28 freegeoip.app -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Sample_10120351200_ISO_035117img.exeupdate.exedescription pid process target process PID 480 set thread context of 676 480 Sample_10120351200_ISO_035117img.exe vbc.exe PID 2952 set thread context of 2032 2952 update.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exevbc.exepid process 676 vbc.exe 2032 vbc.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Sample_10120351200_ISO_035117img.exevbc.exeupdate.exevbc.exedescription pid process Token: SeDebugPrivilege 480 Sample_10120351200_ISO_035117img.exe Token: SeDebugPrivilege 676 vbc.exe Token: SeDebugPrivilege 2952 update.exe Token: SeDebugPrivilege 2032 vbc.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
Sample_10120351200_ISO_035117img.execmd.exeupdate.execmd.exedescription pid process target process PID 480 wrote to memory of 676 480 Sample_10120351200_ISO_035117img.exe vbc.exe PID 480 wrote to memory of 676 480 Sample_10120351200_ISO_035117img.exe vbc.exe PID 480 wrote to memory of 676 480 Sample_10120351200_ISO_035117img.exe vbc.exe PID 480 wrote to memory of 676 480 Sample_10120351200_ISO_035117img.exe vbc.exe PID 480 wrote to memory of 676 480 Sample_10120351200_ISO_035117img.exe vbc.exe PID 480 wrote to memory of 676 480 Sample_10120351200_ISO_035117img.exe vbc.exe PID 480 wrote to memory of 676 480 Sample_10120351200_ISO_035117img.exe vbc.exe PID 480 wrote to memory of 676 480 Sample_10120351200_ISO_035117img.exe vbc.exe PID 480 wrote to memory of 1020 480 Sample_10120351200_ISO_035117img.exe cmd.exe PID 480 wrote to memory of 1020 480 Sample_10120351200_ISO_035117img.exe cmd.exe PID 480 wrote to memory of 1020 480 Sample_10120351200_ISO_035117img.exe cmd.exe PID 480 wrote to memory of 1452 480 Sample_10120351200_ISO_035117img.exe cmd.exe PID 480 wrote to memory of 1452 480 Sample_10120351200_ISO_035117img.exe cmd.exe PID 480 wrote to memory of 1452 480 Sample_10120351200_ISO_035117img.exe cmd.exe PID 1020 wrote to memory of 820 1020 cmd.exe schtasks.exe PID 1020 wrote to memory of 820 1020 cmd.exe schtasks.exe PID 1020 wrote to memory of 820 1020 cmd.exe schtasks.exe PID 2952 wrote to memory of 2032 2952 update.exe vbc.exe PID 2952 wrote to memory of 2032 2952 update.exe vbc.exe PID 2952 wrote to memory of 2032 2952 update.exe vbc.exe PID 2952 wrote to memory of 2032 2952 update.exe vbc.exe PID 2952 wrote to memory of 2032 2952 update.exe vbc.exe PID 2952 wrote to memory of 2032 2952 update.exe vbc.exe PID 2952 wrote to memory of 2032 2952 update.exe vbc.exe PID 2952 wrote to memory of 2032 2952 update.exe vbc.exe PID 2952 wrote to memory of 2344 2952 update.exe cmd.exe PID 2952 wrote to memory of 2344 2952 update.exe cmd.exe PID 2952 wrote to memory of 2344 2952 update.exe cmd.exe PID 2952 wrote to memory of 3572 2952 update.exe cmd.exe PID 2952 wrote to memory of 3572 2952 update.exe cmd.exe PID 2952 wrote to memory of 3572 2952 update.exe cmd.exe PID 2344 wrote to memory of 3140 2344 cmd.exe schtasks.exe PID 2344 wrote to memory of 3140 2344 cmd.exe schtasks.exe PID 2344 wrote to memory of 3140 2344 cmd.exe schtasks.exe -
outlook_office_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe -
outlook_win_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Sample_10120351200_ISO_035117img.exe"C:\Users\Admin\AppData\Local\Temp\Sample_10120351200_ISO_035117img.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\update\update.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\update\update.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\Sample_10120351200_ISO_035117img.exe" "C:\Users\Admin\AppData\Roaming\update\update.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\update\update.exeC:\Users\Admin\AppData\Roaming\update\update.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\update\update.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\update\update.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\update\update.exe" "C:\Users\Admin\AppData\Roaming\update\update.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\update\update.exeMD5
0d20e6334179eeadad75c218d0d9dca2
SHA1ab19c8e05121be1bfed70591477610cd12e066ab
SHA2568b94440478e3c9fd0991d121ef5ab7144425da4b074a65d93fd9111a515c0b8e
SHA5123f5672aafefbaf9156a0cda170360eb5fa43e1907e7966c041c2f870a2af0494bc9315c57fb85840ce3e7b4c02c7bfe5b85c023d8759c26da5605a0762d800fd
-
C:\Users\Admin\AppData\Roaming\update\update.exeMD5
0d20e6334179eeadad75c218d0d9dca2
SHA1ab19c8e05121be1bfed70591477610cd12e066ab
SHA2568b94440478e3c9fd0991d121ef5ab7144425da4b074a65d93fd9111a515c0b8e
SHA5123f5672aafefbaf9156a0cda170360eb5fa43e1907e7966c041c2f870a2af0494bc9315c57fb85840ce3e7b4c02c7bfe5b85c023d8759c26da5605a0762d800fd
-
memory/480-117-0x00000000051E0000-0x00000000051E1000-memory.dmpFilesize
4KB
-
memory/480-118-0x0000000004CE0000-0x0000000004CE1000-memory.dmpFilesize
4KB
-
memory/480-119-0x0000000004D80000-0x0000000004D81000-memory.dmpFilesize
4KB
-
memory/480-120-0x0000000004CD0000-0x0000000004CD1000-memory.dmpFilesize
4KB
-
memory/480-121-0x0000000005060000-0x0000000005061000-memory.dmpFilesize
4KB
-
memory/480-115-0x0000000001060000-0x0000000001061000-memory.dmpFilesize
4KB
-
memory/676-122-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/676-124-0x0000000004DC0000-0x0000000004DC1000-memory.dmpFilesize
4KB
-
memory/676-126-0x0000000004DC0000-0x0000000004DC1000-memory.dmpFilesize
4KB
-
memory/676-130-0x0000000009620000-0x0000000009621000-memory.dmpFilesize
4KB
-
memory/676-131-0x0000000009540000-0x0000000009A3E000-memory.dmpFilesize
5.0MB
-
memory/676-125-0x0000000004DC0000-0x0000000004DC1000-memory.dmpFilesize
4KB
-
memory/676-123-0x00000000004203FE-mapping.dmp
-
memory/676-135-0x0000000004DC0000-0x0000000004DC1000-memory.dmpFilesize
4KB
-
memory/820-134-0x0000000000000000-mapping.dmp
-
memory/1020-132-0x0000000000000000-mapping.dmp
-
memory/1452-133-0x0000000000000000-mapping.dmp
-
memory/2032-860-0x00000000004203FE-mapping.dmp
-
memory/2032-1463-0x0000000009750000-0x0000000009C4E000-memory.dmpFilesize
5.0MB
-
memory/2344-868-0x0000000000000000-mapping.dmp
-
memory/2952-858-0x0000000000EB0000-0x0000000000EB1000-memory.dmpFilesize
4KB
-
memory/3140-870-0x0000000000000000-mapping.dmp
-
memory/3572-869-0x0000000000000000-mapping.dmp