Analysis
-
max time kernel
123s -
max time network
127s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
07-12-2021 17:00
Static task
static1
Behavioral task
behavioral1
Sample
Dekont Swift Mesaji.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
Dekont Swift Mesaji.exe
Resource
win10-en-20211104
General
-
Target
Dekont Swift Mesaji.exe
-
Size
970KB
-
MD5
7dd3654a64ae8c4b4a1b34376ca00e97
-
SHA1
cf22f0375784b414f4ffd3c8044d7d9aad0c78da
-
SHA256
3f21db9d14aeead42447a3da72e51971ff0eaf006919824b02416bc0943ad551
-
SHA512
962b58e2f1ef564964f19c6500489a6ffa6dc22b67128dbf8ba1e8c64a60dbea4162be57c65f3fd93b5e8cc05857a9a212bcaa4c4730fe2b4a155083932a5f29
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.eriminsaat.com.tr - Port:
587 - Username:
ercanerol@eriminsaat.com.tr - Password:
ercan932016erim
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Dekont Swift Mesaji.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Dekont Swift Mesaji.exe Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Dekont Swift Mesaji.exe Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Dekont Swift Mesaji.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 31 freegeoip.app 27 checkip.dyndns.org 30 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Dekont Swift Mesaji.exedescription pid process target process PID 4208 set thread context of 3192 4208 Dekont Swift Mesaji.exe Dekont Swift Mesaji.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Dekont Swift Mesaji.exeDekont Swift Mesaji.exepid process 4208 Dekont Swift Mesaji.exe 4208 Dekont Swift Mesaji.exe 3192 Dekont Swift Mesaji.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Dekont Swift Mesaji.exeDekont Swift Mesaji.exedescription pid process Token: SeDebugPrivilege 4208 Dekont Swift Mesaji.exe Token: SeDebugPrivilege 3192 Dekont Swift Mesaji.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Dekont Swift Mesaji.exedescription pid process target process PID 4208 wrote to memory of 4560 4208 Dekont Swift Mesaji.exe Dekont Swift Mesaji.exe PID 4208 wrote to memory of 4560 4208 Dekont Swift Mesaji.exe Dekont Swift Mesaji.exe PID 4208 wrote to memory of 4560 4208 Dekont Swift Mesaji.exe Dekont Swift Mesaji.exe PID 4208 wrote to memory of 3192 4208 Dekont Swift Mesaji.exe Dekont Swift Mesaji.exe PID 4208 wrote to memory of 3192 4208 Dekont Swift Mesaji.exe Dekont Swift Mesaji.exe PID 4208 wrote to memory of 3192 4208 Dekont Swift Mesaji.exe Dekont Swift Mesaji.exe PID 4208 wrote to memory of 3192 4208 Dekont Swift Mesaji.exe Dekont Swift Mesaji.exe PID 4208 wrote to memory of 3192 4208 Dekont Swift Mesaji.exe Dekont Swift Mesaji.exe PID 4208 wrote to memory of 3192 4208 Dekont Swift Mesaji.exe Dekont Swift Mesaji.exe PID 4208 wrote to memory of 3192 4208 Dekont Swift Mesaji.exe Dekont Swift Mesaji.exe PID 4208 wrote to memory of 3192 4208 Dekont Swift Mesaji.exe Dekont Swift Mesaji.exe -
outlook_office_path 1 IoCs
Processes:
Dekont Swift Mesaji.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Dekont Swift Mesaji.exe -
outlook_win_path 1 IoCs
Processes:
Dekont Swift Mesaji.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Dekont Swift Mesaji.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dekont Swift Mesaji.exe"C:\Users\Admin\AppData\Local\Temp\Dekont Swift Mesaji.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Dekont Swift Mesaji.exe"C:\Users\Admin\AppData\Local\Temp\Dekont Swift Mesaji.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Dekont Swift Mesaji.exe"C:\Users\Admin\AppData\Local\Temp\Dekont Swift Mesaji.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Dekont Swift Mesaji.exe.logMD5
f1181bc4bdff57024c4121f645548332
SHA1d431ee3a3a5afcae2c4537b1d445054a0a95f6e6
SHA256f1a7e138b25d0cb24bb4b23bd781b0dd357afd49d45e19ffa44cdb80170336ad
SHA512cf8059f289bcb4f33e82a2c4851fade486bd449793a39718d49bc357efd09689150aedd277c5ebcf79b5ebb4bbe36f0cbb72510a50398bee804ffd9c889604e3
-
memory/3192-128-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/3192-137-0x00000000050C0000-0x00000000055BE000-memory.dmpFilesize
5.0MB
-
memory/3192-135-0x0000000006490000-0x0000000006491000-memory.dmpFilesize
4KB
-
memory/3192-129-0x000000000042046E-mapping.dmp
-
memory/4208-122-0x00000000052D0000-0x00000000052D1000-memory.dmpFilesize
4KB
-
memory/4208-125-0x0000000007750000-0x0000000007751000-memory.dmpFilesize
4KB
-
memory/4208-126-0x0000000007AC0000-0x0000000007AC1000-memory.dmpFilesize
4KB
-
memory/4208-127-0x0000000007B60000-0x0000000007C6A000-memory.dmpFilesize
1.0MB
-
memory/4208-124-0x00000000053B0000-0x00000000053B5000-memory.dmpFilesize
20KB
-
memory/4208-123-0x0000000005190000-0x000000000568E000-memory.dmpFilesize
5.0MB
-
memory/4208-118-0x0000000000900000-0x0000000000901000-memory.dmpFilesize
4KB
-
memory/4208-121-0x0000000005230000-0x0000000005231000-memory.dmpFilesize
4KB
-
memory/4208-120-0x0000000005690000-0x0000000005691000-memory.dmpFilesize
4KB