Analysis
-
max time kernel
158s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05/05/2023, 20:54
Static task
static1
Behavioral task
behavioral1
Sample
Payment Details PDF.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Payment Details PDF.exe
Resource
win10v2004-20230220-en
General
-
Target
Payment Details PDF.exe
-
Size
584KB
-
MD5
81bf7194541beae3d3878600b63e5753
-
SHA1
67ce7c1ace75ee46b8ce83feedaef37c1f0a59a2
-
SHA256
201a70eaa336c001f0573d3a2915e2c372df418bbf27c8729b30e4b08da2e8c9
-
SHA512
09b0a2ec5ce3ffac0705cf27973da0a26ed45eaef2893dc25fdc43b102219f0bbc768d50ac8ca5fdfac32af1cf5777bf74e6bd72a4543baa1bd2fd607473f4ee
-
SSDEEP
6144:LMZIXrvWfZJpKtHrnI9Dw17I+Ic5T1LxHE8CZV8m+oNRJOO2jRq2E71lOWMqp7t/:e+nIm7I+TRVCEm+oX52RIxlH7tUFu
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5435719278:AAFkA_rGsUomupSCBqIPHcOBw0iPF0KuOG0/sendMessage?chat_id=5666881718
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
resource yara_rule behavioral2/memory/3716-143-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/3716-143-0x0000000000400000-0x0000000000426000-memory.dmp family_stormkitty -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation Payment Details PDF.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 15 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 632 set thread context of 3716 632 Payment Details PDF.exe 85 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4056 3716 WerFault.exe 85 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1960 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3716 Payment Details PDF.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3716 Payment Details PDF.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 632 wrote to memory of 1960 632 Payment Details PDF.exe 83 PID 632 wrote to memory of 1960 632 Payment Details PDF.exe 83 PID 632 wrote to memory of 1960 632 Payment Details PDF.exe 83 PID 632 wrote to memory of 3716 632 Payment Details PDF.exe 85 PID 632 wrote to memory of 3716 632 Payment Details PDF.exe 85 PID 632 wrote to memory of 3716 632 Payment Details PDF.exe 85 PID 632 wrote to memory of 3716 632 Payment Details PDF.exe 85 PID 632 wrote to memory of 3716 632 Payment Details PDF.exe 85 PID 632 wrote to memory of 3716 632 Payment Details PDF.exe 85 PID 632 wrote to memory of 3716 632 Payment Details PDF.exe 85 PID 632 wrote to memory of 3716 632 Payment Details PDF.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Details PDF.exe"C:\Users\Admin\AppData\Local\Temp\Payment Details PDF.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JSkmEG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp53EC.tmp"2⤵
- Creates scheduled task(s)
PID:1960
-
-
C:\Users\Admin\AppData\Local\Temp\Payment Details PDF.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3716 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 15403⤵
- Program crash
PID:4056
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3716 -ip 37161⤵PID:3536
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD584e77a587d94307c0ac1357eb4d3d46f
SHA183cc900f9401f43d181207d64c5adba7a85edc1e
SHA256e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99
SHA512aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691
-
Filesize
1KB
MD5704ba8ca112e912ed21908b7b07e3428
SHA19bde540f3da0967d4bf09319739e69114e78bac5
SHA256cf88f704f9a2d99d072a464b4f0c3f6921e47975377d0f1fee2796fe005c9c2a
SHA51222a89e0bd6b45a75f22eb8c0b9cda0e1ee0bd8ed8c2f0a1ce367839dec145856fa23715d0d55a50c80527500fb03fec7e96be071c193b6e2377a94295129dcb4