Analysis
-
max time kernel
133s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
06-07-2022 20:31
Static task
static1
Behavioral task
behavioral1
Sample
FINAL BL.pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
FINAL BL.pdf.exe
Resource
win10v2004-20220414-en
General
-
Target
FINAL BL.pdf.exe
-
Size
422KB
-
MD5
9a903c6a1df5616594b6d64f6860fe37
-
SHA1
fad9c0dcce2c0be8617a016baa1bc8326a6c62f0
-
SHA256
4e0576bfe816a475d0a0e38a9c7456f8742d12f0c5a44a2244900214c37ad7e4
-
SHA512
e3b01982cadda9c864a0b68eef6955f632553bd1dc72a0e81191f26d1fd434544c81c02dfc925f856e178de776f3ef58840007fa77fbba9dad7bafbe13b3e419
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot1507062795:AAEBb0H5OYbp-dWwXk8ffQp0InjOhKxhpbU/sendMessage?chat_id=1663822858
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4628-138-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
FINAL BL.pdf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation FINAL BL.pdf.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 29 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
FINAL BL.pdf.exedescription pid process target process PID 3156 set thread context of 4628 3156 FINAL BL.pdf.exe FINAL BL.pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2816 4628 WerFault.exe FINAL BL.pdf.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
FINAL BL.pdf.exeFINAL BL.pdf.exepid process 3156 FINAL BL.pdf.exe 4628 FINAL BL.pdf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
FINAL BL.pdf.exeFINAL BL.pdf.exedescription pid process Token: SeDebugPrivilege 3156 FINAL BL.pdf.exe Token: SeDebugPrivilege 4628 FINAL BL.pdf.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
FINAL BL.pdf.exedescription pid process target process PID 3156 wrote to memory of 1272 3156 FINAL BL.pdf.exe schtasks.exe PID 3156 wrote to memory of 1272 3156 FINAL BL.pdf.exe schtasks.exe PID 3156 wrote to memory of 1272 3156 FINAL BL.pdf.exe schtasks.exe PID 3156 wrote to memory of 4628 3156 FINAL BL.pdf.exe FINAL BL.pdf.exe PID 3156 wrote to memory of 4628 3156 FINAL BL.pdf.exe FINAL BL.pdf.exe PID 3156 wrote to memory of 4628 3156 FINAL BL.pdf.exe FINAL BL.pdf.exe PID 3156 wrote to memory of 4628 3156 FINAL BL.pdf.exe FINAL BL.pdf.exe PID 3156 wrote to memory of 4628 3156 FINAL BL.pdf.exe FINAL BL.pdf.exe PID 3156 wrote to memory of 4628 3156 FINAL BL.pdf.exe FINAL BL.pdf.exe PID 3156 wrote to memory of 4628 3156 FINAL BL.pdf.exe FINAL BL.pdf.exe PID 3156 wrote to memory of 4628 3156 FINAL BL.pdf.exe FINAL BL.pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FINAL BL.pdf.exe"C:\Users\Admin\AppData\Local\Temp\FINAL BL.pdf.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SSHnkqdBlPISZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEE1E.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\FINAL BL.pdf.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 15363⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4628 -ip 46281⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FINAL BL.pdf.exe.logFilesize
1KB
MD584e77a587d94307c0ac1357eb4d3d46f
SHA183cc900f9401f43d181207d64c5adba7a85edc1e
SHA256e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99
SHA512aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691
-
C:\Users\Admin\AppData\Local\Temp\tmpEE1E.tmpFilesize
1KB
MD58fba6e8e95aae9f03865b7702f6de943
SHA15b01f04126d1f9e689628dcb4e3e61c3e600dcfb
SHA256344c4dd12ede44a57269d93273f53e398c02c4aa13aaf815b10b0e9fcdc93807
SHA51219cff4b5fc90c852f6d033574ebcbc2ad284273d8be8973486e2f786d7affb860109798b9d8ac4b2aa3700a22523d8b6e9bbe65459c68f944e7df277f3d1adc9
-
memory/1272-135-0x0000000000000000-mapping.dmp
-
memory/3156-130-0x0000000000A20000-0x0000000000A90000-memory.dmpFilesize
448KB
-
memory/3156-131-0x0000000005B70000-0x0000000006114000-memory.dmpFilesize
5.6MB
-
memory/3156-132-0x0000000005470000-0x0000000005502000-memory.dmpFilesize
584KB
-
memory/3156-133-0x0000000005510000-0x00000000055AC000-memory.dmpFilesize
624KB
-
memory/3156-134-0x0000000005420000-0x000000000542A000-memory.dmpFilesize
40KB
-
memory/4628-137-0x0000000000000000-mapping.dmp
-
memory/4628-138-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB