Analysis
-
max time kernel
82s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
02-06-2023 06:10
Static task
static1
Behavioral task
behavioral1
Sample
PO ERHB64J8HF.pdf.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
PO ERHB64J8HF.pdf.exe
Resource
win10v2004-20230221-en
General
-
Target
PO ERHB64J8HF.pdf.exe
-
Size
734KB
-
MD5
20f4465ac298e52d90c214d0a20745a0
-
SHA1
15d875fa872f0760904b923de9bb9197c6346ef5
-
SHA256
e21548973f158e8fbc7b0cd460019fb0d378ceb55f20a49b6ae346520e1f58b2
-
SHA512
460bdf6643f74930ab239e665c602e118095b7379cb35b00d2ada6919cea35059806ad6ec220ca1f0af115dc483beca6bdc21f02ef0db56228d3fef981e8ffde
-
SSDEEP
12288:xSvTetd7l7xdvo/MdyrhFgtDsuBHsSj5J4+saBGIFSo16uYdSWHEfN6Aa9VJkQS7:xSvTu9BqmycgiH75BzSY6utWcJa3JkQm
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5818680343:AAGVJsfIHcopySiifMCdAaFCv-ICp2_Yo_M/sendMessage?chat_id=5765702254
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/856-74-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/856-75-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/856-77-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/856-79-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/856-81-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1972-82-0x0000000002530000-0x0000000002570000-memory.dmp family_snakekeylogger behavioral1/memory/1972-83-0x0000000002530000-0x0000000002570000-memory.dmp family_snakekeylogger -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
PO ERHB64J8HF.pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO ERHB64J8HF.pdf.exe Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO ERHB64J8HF.pdf.exe Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO ERHB64J8HF.pdf.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO ERHB64J8HF.pdf.exedescription pid process target process PID 1716 set thread context of 856 1716 PO ERHB64J8HF.pdf.exe PO ERHB64J8HF.pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
PO ERHB64J8HF.pdf.exePO ERHB64J8HF.pdf.exepowershell.exepowershell.exepid process 1716 PO ERHB64J8HF.pdf.exe 1716 PO ERHB64J8HF.pdf.exe 1716 PO ERHB64J8HF.pdf.exe 1716 PO ERHB64J8HF.pdf.exe 1716 PO ERHB64J8HF.pdf.exe 1716 PO ERHB64J8HF.pdf.exe 856 PO ERHB64J8HF.pdf.exe 1972 powershell.exe 936 powershell.exe 856 PO ERHB64J8HF.pdf.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
PO ERHB64J8HF.pdf.exePO ERHB64J8HF.pdf.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1716 PO ERHB64J8HF.pdf.exe Token: SeDebugPrivilege 856 PO ERHB64J8HF.pdf.exe Token: SeDebugPrivilege 1972 powershell.exe Token: SeDebugPrivilege 936 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
PO ERHB64J8HF.pdf.exedescription pid process target process PID 1716 wrote to memory of 1972 1716 PO ERHB64J8HF.pdf.exe powershell.exe PID 1716 wrote to memory of 1972 1716 PO ERHB64J8HF.pdf.exe powershell.exe PID 1716 wrote to memory of 1972 1716 PO ERHB64J8HF.pdf.exe powershell.exe PID 1716 wrote to memory of 1972 1716 PO ERHB64J8HF.pdf.exe powershell.exe PID 1716 wrote to memory of 936 1716 PO ERHB64J8HF.pdf.exe powershell.exe PID 1716 wrote to memory of 936 1716 PO ERHB64J8HF.pdf.exe powershell.exe PID 1716 wrote to memory of 936 1716 PO ERHB64J8HF.pdf.exe powershell.exe PID 1716 wrote to memory of 936 1716 PO ERHB64J8HF.pdf.exe powershell.exe PID 1716 wrote to memory of 1156 1716 PO ERHB64J8HF.pdf.exe schtasks.exe PID 1716 wrote to memory of 1156 1716 PO ERHB64J8HF.pdf.exe schtasks.exe PID 1716 wrote to memory of 1156 1716 PO ERHB64J8HF.pdf.exe schtasks.exe PID 1716 wrote to memory of 1156 1716 PO ERHB64J8HF.pdf.exe schtasks.exe PID 1716 wrote to memory of 856 1716 PO ERHB64J8HF.pdf.exe PO ERHB64J8HF.pdf.exe PID 1716 wrote to memory of 856 1716 PO ERHB64J8HF.pdf.exe PO ERHB64J8HF.pdf.exe PID 1716 wrote to memory of 856 1716 PO ERHB64J8HF.pdf.exe PO ERHB64J8HF.pdf.exe PID 1716 wrote to memory of 856 1716 PO ERHB64J8HF.pdf.exe PO ERHB64J8HF.pdf.exe PID 1716 wrote to memory of 856 1716 PO ERHB64J8HF.pdf.exe PO ERHB64J8HF.pdf.exe PID 1716 wrote to memory of 856 1716 PO ERHB64J8HF.pdf.exe PO ERHB64J8HF.pdf.exe PID 1716 wrote to memory of 856 1716 PO ERHB64J8HF.pdf.exe PO ERHB64J8HF.pdf.exe PID 1716 wrote to memory of 856 1716 PO ERHB64J8HF.pdf.exe PO ERHB64J8HF.pdf.exe PID 1716 wrote to memory of 856 1716 PO ERHB64J8HF.pdf.exe PO ERHB64J8HF.pdf.exe -
outlook_office_path 1 IoCs
Processes:
PO ERHB64J8HF.pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO ERHB64J8HF.pdf.exe -
outlook_win_path 1 IoCs
Processes:
PO ERHB64J8HF.pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO ERHB64J8HF.pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO ERHB64J8HF.pdf.exe"C:\Users\Admin\AppData\Local\Temp\PO ERHB64J8HF.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO ERHB64J8HF.pdf.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FutLunqUNqtW.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FutLunqUNqtW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp891E.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\PO ERHB64J8HF.pdf.exe"C:\Users\Admin\AppData\Local\Temp\PO ERHB64J8HF.pdf.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp891E.tmpFilesize
1KB
MD554fef0e389b247a00543170050efb934
SHA1b76005922dbed5142fcef201d8f37756cda2d263
SHA2562be5e9d4786e74280dbae35a2f16b374742427e10a437bf7c5705debc65d5efe
SHA51264a74728a6f7849cc4b57a67de5ea14ba4141d802da1376724a7ef9b3be54c9d3571b82ba1e4f251e764524b1e3799edc55dd5dc0ad23ceb50906495730ab290
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XXB8FRE7TADKN37NTCWQ.tempFilesize
7KB
MD5ba98a8c26e4a69243f7cbce078212004
SHA1f8cdfd9991c37ae774489a2f98c8d229b9556093
SHA2564d68cec434da25419d939b837df8d648f8b2f218c03e52e3372e6c2569d4075e
SHA51265afeae8e7ce9de6ca0b2495cd7cc25ffd6f764535bcc6d2c12f631f83d67f2a8a7bf7a74add98aa2d8fc2eb255a5d6c9b37be873f715a69607ad4f52bce7a84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5ba98a8c26e4a69243f7cbce078212004
SHA1f8cdfd9991c37ae774489a2f98c8d229b9556093
SHA2564d68cec434da25419d939b837df8d648f8b2f218c03e52e3372e6c2569d4075e
SHA51265afeae8e7ce9de6ca0b2495cd7cc25ffd6f764535bcc6d2c12f631f83d67f2a8a7bf7a74add98aa2d8fc2eb255a5d6c9b37be873f715a69607ad4f52bce7a84
-
memory/856-74-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/856-81-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/856-79-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/856-77-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/856-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/856-75-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/856-72-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/856-73-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1716-58-0x00000000042F0000-0x0000000004352000-memory.dmpFilesize
392KB
-
memory/1716-70-0x00000000050A0000-0x00000000050CA000-memory.dmpFilesize
168KB
-
memory/1716-54-0x0000000000880000-0x000000000093C000-memory.dmpFilesize
752KB
-
memory/1716-57-0x00000000004D0000-0x00000000004DC000-memory.dmpFilesize
48KB
-
memory/1716-56-0x00000000004C0000-0x00000000004D4000-memory.dmpFilesize
80KB
-
memory/1716-55-0x0000000004C90000-0x0000000004CD0000-memory.dmpFilesize
256KB
-
memory/1972-82-0x0000000002530000-0x0000000002570000-memory.dmpFilesize
256KB
-
memory/1972-83-0x0000000002530000-0x0000000002570000-memory.dmpFilesize
256KB