Analysis
-
max time kernel
87s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 00:50
Static task
static1
Behavioral task
behavioral1
Sample
PO. 4500129645.pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO. 4500129645.pdf.exe
Resource
win10v2004-20220414-en
General
-
Target
PO. 4500129645.pdf.exe
-
Size
549KB
-
MD5
f7c5e33a5643b753e390d04823584f71
-
SHA1
62b46991b702107cd1ee9871b1c1a417a3346616
-
SHA256
dee9479a27f8281c61fa8e25f006e01087e5dabad181cdb262bd8e9f4696e851
-
SHA512
c871b0597199f11b5273359b5de4d314517b1c226f99542f676f61b230b35e6dc1633356fa2cf016567757ef59cb01d8f408cf542f38aa19fd1b13e00652d94a
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5392870078:AAEZf0ajeo_PMkBddeC_JE--NP4u4367N6c/sendMessage?chat_id=1856108848
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1876-67-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1876-69-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1876-70-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1876-71-0x000000000042039E-mapping.dmp family_snakekeylogger behavioral1/memory/1876-73-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1876-75-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
PO. 4500129645.pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO. 4500129645.pdf.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO. 4500129645.pdf.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO. 4500129645.pdf.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO. 4500129645.pdf.exedescription pid process target process PID 1944 set thread context of 1876 1944 PO. 4500129645.pdf.exe PO. 4500129645.pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
PO. 4500129645.pdf.exePO. 4500129645.pdf.exepowershell.exepid process 1944 PO. 4500129645.pdf.exe 1944 PO. 4500129645.pdf.exe 1944 PO. 4500129645.pdf.exe 1944 PO. 4500129645.pdf.exe 1876 PO. 4500129645.pdf.exe 1724 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
PO. 4500129645.pdf.exePO. 4500129645.pdf.exepowershell.exedescription pid process Token: SeDebugPrivilege 1944 PO. 4500129645.pdf.exe Token: SeDebugPrivilege 1876 PO. 4500129645.pdf.exe Token: SeDebugPrivilege 1724 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
PO. 4500129645.pdf.exedescription pid process target process PID 1944 wrote to memory of 1724 1944 PO. 4500129645.pdf.exe powershell.exe PID 1944 wrote to memory of 1724 1944 PO. 4500129645.pdf.exe powershell.exe PID 1944 wrote to memory of 1724 1944 PO. 4500129645.pdf.exe powershell.exe PID 1944 wrote to memory of 1724 1944 PO. 4500129645.pdf.exe powershell.exe PID 1944 wrote to memory of 1628 1944 PO. 4500129645.pdf.exe schtasks.exe PID 1944 wrote to memory of 1628 1944 PO. 4500129645.pdf.exe schtasks.exe PID 1944 wrote to memory of 1628 1944 PO. 4500129645.pdf.exe schtasks.exe PID 1944 wrote to memory of 1628 1944 PO. 4500129645.pdf.exe schtasks.exe PID 1944 wrote to memory of 1876 1944 PO. 4500129645.pdf.exe PO. 4500129645.pdf.exe PID 1944 wrote to memory of 1876 1944 PO. 4500129645.pdf.exe PO. 4500129645.pdf.exe PID 1944 wrote to memory of 1876 1944 PO. 4500129645.pdf.exe PO. 4500129645.pdf.exe PID 1944 wrote to memory of 1876 1944 PO. 4500129645.pdf.exe PO. 4500129645.pdf.exe PID 1944 wrote to memory of 1876 1944 PO. 4500129645.pdf.exe PO. 4500129645.pdf.exe PID 1944 wrote to memory of 1876 1944 PO. 4500129645.pdf.exe PO. 4500129645.pdf.exe PID 1944 wrote to memory of 1876 1944 PO. 4500129645.pdf.exe PO. 4500129645.pdf.exe PID 1944 wrote to memory of 1876 1944 PO. 4500129645.pdf.exe PO. 4500129645.pdf.exe PID 1944 wrote to memory of 1876 1944 PO. 4500129645.pdf.exe PO. 4500129645.pdf.exe -
outlook_office_path 1 IoCs
Processes:
PO. 4500129645.pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO. 4500129645.pdf.exe -
outlook_win_path 1 IoCs
Processes:
PO. 4500129645.pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO. 4500129645.pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO. 4500129645.pdf.exe"C:\Users\Admin\AppData\Local\Temp\PO. 4500129645.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PBsoYnOH.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PBsoYnOH" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCE29.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\PO. 4500129645.pdf.exe"C:\Users\Admin\AppData\Local\Temp\PO. 4500129645.pdf.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpCE29.tmpFilesize
1KB
MD53293a96f3bee20c84c5c82ad35565ecc
SHA1be6a6b548171dfa93895c3c07d9cd82ac3354399
SHA25690c5812524f7a897cddb41c3c67289fcb6ef981f4ad4149db61ded93b9cc8d2d
SHA5120604474bc575472f2031cf6c187da1c6ef059cab75b7ab9367460c3b0b69069db506abbc30877906fca484da0fad74f258934f633061e102f4b687892c68b62e
-
memory/1628-59-0x0000000000000000-mapping.dmp
-
memory/1724-58-0x0000000000000000-mapping.dmp
-
memory/1724-77-0x000000006C4A0000-0x000000006CA4B000-memory.dmpFilesize
5.7MB
-
memory/1876-69-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1876-71-0x000000000042039E-mapping.dmp
-
memory/1876-75-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1876-73-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1876-70-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1876-64-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1876-65-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1876-67-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1944-54-0x00000000009E0000-0x0000000000A6E000-memory.dmpFilesize
568KB
-
memory/1944-63-0x0000000004F80000-0x0000000004FA6000-memory.dmpFilesize
152KB
-
memory/1944-57-0x00000000055F0000-0x0000000005674000-memory.dmpFilesize
528KB
-
memory/1944-62-0x0000000004C50000-0x0000000004C56000-memory.dmpFilesize
24KB
-
memory/1944-56-0x00000000007F0000-0x00000000007FE000-memory.dmpFilesize
56KB
-
memory/1944-55-0x0000000075441000-0x0000000075443000-memory.dmpFilesize
8KB