Analysis
-
max time kernel
97s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05/05/2023, 20:58
Static task
static1
Behavioral task
behavioral1
Sample
ShippingDocuments.pdf.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ShippingDocuments.pdf.exe
Resource
win10v2004-20230220-en
General
-
Target
ShippingDocuments.pdf.exe
-
Size
623KB
-
MD5
c484332886c809a3452f19103ce0cfc7
-
SHA1
42e0ea78388c594e6abab63c37464f71ed234f58
-
SHA256
21777e7d8c275e5e9fc22a08172bfd5b9872340f46523df83bf2dd7a4b611dd2
-
SHA512
c48a3bcb80d8dc51c327f5d952df4a73aaa1ca95720c039efe4caabfcb8f0d2bcb53456071fa0aecd87a6f279281ec5b1ed316f537078e4fbff9f502fe236372
-
SSDEEP
12288:NOdlpV5YHhorPTfFZyN8TyjbduPk8RwctUO8D9ko:NKAKfysdk46Bk
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot6029559841:AAEqr8_NCfqapJgAzw8PoPbqoCosnsk1VO0/sendMessage?chat_id=6033043077
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
resource yara_rule behavioral1/memory/1552-75-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1552-76-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1552-78-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1552-80-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1552-82-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 5 IoCs
resource yara_rule behavioral1/memory/1552-75-0x0000000000400000-0x0000000000426000-memory.dmp family_stormkitty behavioral1/memory/1552-76-0x0000000000400000-0x0000000000426000-memory.dmp family_stormkitty behavioral1/memory/1552-78-0x0000000000400000-0x0000000000426000-memory.dmp family_stormkitty behavioral1/memory/1552-80-0x0000000000400000-0x0000000000426000-memory.dmp family_stormkitty behavioral1/memory/1552-82-0x0000000000400000-0x0000000000426000-memory.dmp family_stormkitty -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ShippingDocuments.pdf.exe Key opened \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ShippingDocuments.pdf.exe Key opened \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ShippingDocuments.pdf.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1336 set thread context of 1552 1336 ShippingDocuments.pdf.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1184 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1552 ShippingDocuments.pdf.exe 652 powershell.exe 564 powershell.exe 1552 ShippingDocuments.pdf.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1552 ShippingDocuments.pdf.exe Token: SeDebugPrivilege 652 powershell.exe Token: SeDebugPrivilege 564 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1336 wrote to memory of 652 1336 ShippingDocuments.pdf.exe 28 PID 1336 wrote to memory of 652 1336 ShippingDocuments.pdf.exe 28 PID 1336 wrote to memory of 652 1336 ShippingDocuments.pdf.exe 28 PID 1336 wrote to memory of 652 1336 ShippingDocuments.pdf.exe 28 PID 1336 wrote to memory of 564 1336 ShippingDocuments.pdf.exe 30 PID 1336 wrote to memory of 564 1336 ShippingDocuments.pdf.exe 30 PID 1336 wrote to memory of 564 1336 ShippingDocuments.pdf.exe 30 PID 1336 wrote to memory of 564 1336 ShippingDocuments.pdf.exe 30 PID 1336 wrote to memory of 1184 1336 ShippingDocuments.pdf.exe 32 PID 1336 wrote to memory of 1184 1336 ShippingDocuments.pdf.exe 32 PID 1336 wrote to memory of 1184 1336 ShippingDocuments.pdf.exe 32 PID 1336 wrote to memory of 1184 1336 ShippingDocuments.pdf.exe 32 PID 1336 wrote to memory of 1552 1336 ShippingDocuments.pdf.exe 34 PID 1336 wrote to memory of 1552 1336 ShippingDocuments.pdf.exe 34 PID 1336 wrote to memory of 1552 1336 ShippingDocuments.pdf.exe 34 PID 1336 wrote to memory of 1552 1336 ShippingDocuments.pdf.exe 34 PID 1336 wrote to memory of 1552 1336 ShippingDocuments.pdf.exe 34 PID 1336 wrote to memory of 1552 1336 ShippingDocuments.pdf.exe 34 PID 1336 wrote to memory of 1552 1336 ShippingDocuments.pdf.exe 34 PID 1336 wrote to memory of 1552 1336 ShippingDocuments.pdf.exe 34 PID 1336 wrote to memory of 1552 1336 ShippingDocuments.pdf.exe 34 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ShippingDocuments.pdf.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ShippingDocuments.pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ShippingDocuments.pdf.exe"C:\Users\Admin\AppData\Local\Temp\ShippingDocuments.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ShippingDocuments.pdf.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:652
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tjyThmp.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:564
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tjyThmp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9D1.tmp"2⤵
- Creates scheduled task(s)
PID:1184
-
-
C:\Users\Admin\AppData\Local\Temp\ShippingDocuments.pdf.exe"C:\Users\Admin\AppData\Local\Temp\ShippingDocuments.pdf.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1552
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e8c446d36f5ae1bfff0531345a83295b
SHA16e4abc04c15c6738ff4564ed5573fddf837966ed
SHA2568025dcad55b733b28ab3f065a60b6c08847d828981e7a5e857151c26efe752fe
SHA512188c39163c3eab86ae6f9cf82c1a5f6047a4465fc6d17025cc2628acd3260b71ca5ecb31910b79d765668854314275ee82fa315a0472a362c554b81d7d09e0b9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8QZ9A0R8PQ2LMBEGUJ9W.temp
Filesize7KB
MD51c756dcc09ba65f4e3c58928abd1c3fc
SHA18adf0c8e694aa1768f02d08d20185c566daf05af
SHA256736b3d403f764a1dc02a94d90801e0e0b27c182b310d60efb6cc23801491039d
SHA5129b905313f7d6e76f9c2ba0132c0b72b4bf528016e01582d12908139b0bd5970951e992d909aa80278688c8e3165bf6fdc30e17ebb9c2cedca320ae0fe964cca7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD51c756dcc09ba65f4e3c58928abd1c3fc
SHA18adf0c8e694aa1768f02d08d20185c566daf05af
SHA256736b3d403f764a1dc02a94d90801e0e0b27c182b310d60efb6cc23801491039d
SHA5129b905313f7d6e76f9c2ba0132c0b72b4bf528016e01582d12908139b0bd5970951e992d909aa80278688c8e3165bf6fdc30e17ebb9c2cedca320ae0fe964cca7