Analysis
-
max time kernel
98s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:50
Static task
static1
Behavioral task
behavioral1
Sample
PO. 4500129645.pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO. 4500129645.pdf.exe
Resource
win10v2004-20220414-en
General
-
Target
PO. 4500129645.pdf.exe
-
Size
549KB
-
MD5
f7c5e33a5643b753e390d04823584f71
-
SHA1
62b46991b702107cd1ee9871b1c1a417a3346616
-
SHA256
dee9479a27f8281c61fa8e25f006e01087e5dabad181cdb262bd8e9f4696e851
-
SHA512
c871b0597199f11b5273359b5de4d314517b1c226f99542f676f61b230b35e6dc1633356fa2cf016567757ef59cb01d8f408cf542f38aa19fd1b13e00652d94a
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5392870078:AAEZf0ajeo_PMkBddeC_JE--NP4u4367N6c/sendMessage?chat_id=1856108848
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3908-142-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
PO. 4500129645.pdf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation PO. 4500129645.pdf.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 43 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO. 4500129645.pdf.exedescription pid process target process PID 432 set thread context of 3908 432 PO. 4500129645.pdf.exe PO. 4500129645.pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4920 3908 WerFault.exe PO. 4500129645.pdf.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
PO. 4500129645.pdf.exePO. 4500129645.pdf.exepowershell.exepid process 432 PO. 4500129645.pdf.exe 432 PO. 4500129645.pdf.exe 432 PO. 4500129645.pdf.exe 432 PO. 4500129645.pdf.exe 432 PO. 4500129645.pdf.exe 432 PO. 4500129645.pdf.exe 432 PO. 4500129645.pdf.exe 3908 PO. 4500129645.pdf.exe 2184 powershell.exe 2184 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
PO. 4500129645.pdf.exePO. 4500129645.pdf.exepowershell.exedescription pid process Token: SeDebugPrivilege 432 PO. 4500129645.pdf.exe Token: SeDebugPrivilege 3908 PO. 4500129645.pdf.exe Token: SeDebugPrivilege 2184 powershell.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
PO. 4500129645.pdf.exedescription pid process target process PID 432 wrote to memory of 2184 432 PO. 4500129645.pdf.exe powershell.exe PID 432 wrote to memory of 2184 432 PO. 4500129645.pdf.exe powershell.exe PID 432 wrote to memory of 2184 432 PO. 4500129645.pdf.exe powershell.exe PID 432 wrote to memory of 1076 432 PO. 4500129645.pdf.exe schtasks.exe PID 432 wrote to memory of 1076 432 PO. 4500129645.pdf.exe schtasks.exe PID 432 wrote to memory of 1076 432 PO. 4500129645.pdf.exe schtasks.exe PID 432 wrote to memory of 3908 432 PO. 4500129645.pdf.exe PO. 4500129645.pdf.exe PID 432 wrote to memory of 3908 432 PO. 4500129645.pdf.exe PO. 4500129645.pdf.exe PID 432 wrote to memory of 3908 432 PO. 4500129645.pdf.exe PO. 4500129645.pdf.exe PID 432 wrote to memory of 3908 432 PO. 4500129645.pdf.exe PO. 4500129645.pdf.exe PID 432 wrote to memory of 3908 432 PO. 4500129645.pdf.exe PO. 4500129645.pdf.exe PID 432 wrote to memory of 3908 432 PO. 4500129645.pdf.exe PO. 4500129645.pdf.exe PID 432 wrote to memory of 3908 432 PO. 4500129645.pdf.exe PO. 4500129645.pdf.exe PID 432 wrote to memory of 3908 432 PO. 4500129645.pdf.exe PO. 4500129645.pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO. 4500129645.pdf.exe"C:\Users\Admin\AppData\Local\Temp\PO. 4500129645.pdf.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PBsoYnOH.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PBsoYnOH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp18E2.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\PO. 4500129645.pdf.exe"C:\Users\Admin\AppData\Local\Temp\PO. 4500129645.pdf.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 14763⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3908 -ip 39081⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO. 4500129645.pdf.exe.logFilesize
1KB
MD58323fae9fbc8238dfd3efdc87ac3534c
SHA1d88623828a38d6b528963a32902c9f336a08942e
SHA2561ccd81d339d51696fa8569e0ea179873452e8aa087b14a397538cda74996fe00
SHA5129a50d78360761b85c2b49fd2959744c004a74600ffef5756391fec0f02c8aafc6061a028518808693297f03e9fc65067e3d4b29d876ed70eb8e2ad9094d246c3
-
C:\Users\Admin\AppData\Local\Temp\tmp18E2.tmpFilesize
1KB
MD5d1a49647afa03f370e30e335fd5c5862
SHA18e0b3227b9e9fddedf7d0d1d4916ffab9d5a71ae
SHA256f8040e2e72a118eecf02f552a2d441c93a654d9c7676adf3ffd0e6031444fc80
SHA512ae98b79d872eb2b2fdec3572a3e1cba89661ec6e70bfe11a85030e7fb144df504989042311e7177708982ed2c3f77b798412bbef5663a81d92da85a5bcbb6341
-
memory/432-131-0x0000000005230000-0x00000000057D4000-memory.dmpFilesize
5.6MB
-
memory/432-132-0x0000000004D20000-0x0000000004DB2000-memory.dmpFilesize
584KB
-
memory/432-133-0x0000000004D10000-0x0000000004D1A000-memory.dmpFilesize
40KB
-
memory/432-134-0x0000000004FC0000-0x000000000505C000-memory.dmpFilesize
624KB
-
memory/432-135-0x0000000007900000-0x0000000007966000-memory.dmpFilesize
408KB
-
memory/432-130-0x00000000002E0000-0x000000000036E000-memory.dmpFilesize
568KB
-
memory/1076-137-0x0000000000000000-mapping.dmp
-
memory/2184-148-0x0000000070DB0000-0x0000000070DFC000-memory.dmpFilesize
304KB
-
memory/2184-136-0x0000000000000000-mapping.dmp
-
memory/2184-156-0x00000000077E0000-0x00000000077E8000-memory.dmpFilesize
32KB
-
memory/2184-155-0x0000000007800000-0x000000000781A000-memory.dmpFilesize
104KB
-
memory/2184-138-0x00000000028A0000-0x00000000028D6000-memory.dmpFilesize
216KB
-
memory/2184-144-0x00000000052E0000-0x0000000005302000-memory.dmpFilesize
136KB
-
memory/2184-145-0x0000000005380000-0x00000000053E6000-memory.dmpFilesize
408KB
-
memory/2184-146-0x00000000060A0000-0x00000000060BE000-memory.dmpFilesize
120KB
-
memory/2184-147-0x0000000006780000-0x00000000067B2000-memory.dmpFilesize
200KB
-
memory/2184-140-0x00000000054D0000-0x0000000005AF8000-memory.dmpFilesize
6.2MB
-
memory/2184-149-0x0000000006760000-0x000000000677E000-memory.dmpFilesize
120KB
-
memory/2184-150-0x0000000007B00000-0x000000000817A000-memory.dmpFilesize
6.5MB
-
memory/2184-151-0x00000000074C0000-0x00000000074DA000-memory.dmpFilesize
104KB
-
memory/2184-152-0x0000000007530000-0x000000000753A000-memory.dmpFilesize
40KB
-
memory/2184-153-0x0000000007740000-0x00000000077D6000-memory.dmpFilesize
600KB
-
memory/2184-154-0x0000000006210000-0x000000000621E000-memory.dmpFilesize
56KB
-
memory/3908-142-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/3908-141-0x0000000000000000-mapping.dmp