Analysis
-
max time kernel
68s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
26-09-2023 01:40
Static task
static1
Behavioral task
behavioral1
Sample
DOCUMENT.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
DOCUMENT.exe
Resource
win10v2004-20230915-en
General
-
Target
DOCUMENT.exe
-
Size
400.0MB
-
MD5
e2638e646b62a210e138adacb551d0b3
-
SHA1
08c84305ad48439626e5a15a49f639714c61cf0b
-
SHA256
1b82db028a2e3cfd34f3e2eec873da2e87e458b36581bebca0bc04a8d7f60aba
-
SHA512
92d3f246e4dd908c583216815f3f9e421172d270b26c2a7a592c135b7876fcc6075ba741621f428be4cce664e7071475745dd510fdc6e479d81053acae9944bd
-
SSDEEP
12288:E7FAPAQo3JU1HYIywtfeWUV/fzQjfqlvmTCNwmrYn5n+wuPrhSa:E76QZUk4Uh78g+ONwiYn5nCroa
Malware Config
Extracted
Protocol: ftp- Host:
ftp.product-secured.com - Port:
21 - Username:
[email protected] - Password:
2V8SHFwjad34@@##
Extracted
snakekeylogger
Protocol: ftp- Host:
ftp://ftp.product-secured.com/ - Port:
21 - Username:
[email protected] - Password:
2V8SHFwjad34@@##
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4968-7-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
DOCUMENT.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation DOCUMENT.exe -
Executes dropped EXE 2 IoCs
Processes:
svchost.exesvchost.exepid process 4500 svchost.exe 4368 svchost.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
DOCUMENT.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DOCUMENT.exe Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DOCUMENT.exe Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DOCUMENT.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 47 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DOCUMENT.exedescription pid process target process PID 2780 set thread context of 4968 2780 DOCUMENT.exe DOCUMENT.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
DOCUMENT.exepid process 4968 DOCUMENT.exe 4968 DOCUMENT.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
DOCUMENT.exedescription pid process Token: SeDebugPrivilege 4968 DOCUMENT.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
DOCUMENT.exepid process 4968 DOCUMENT.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
DOCUMENT.execmd.exedescription pid process target process PID 2780 wrote to memory of 4968 2780 DOCUMENT.exe DOCUMENT.exe PID 2780 wrote to memory of 4968 2780 DOCUMENT.exe DOCUMENT.exe PID 2780 wrote to memory of 4968 2780 DOCUMENT.exe DOCUMENT.exe PID 2780 wrote to memory of 4968 2780 DOCUMENT.exe DOCUMENT.exe PID 2780 wrote to memory of 4968 2780 DOCUMENT.exe DOCUMENT.exe PID 2780 wrote to memory of 4968 2780 DOCUMENT.exe DOCUMENT.exe PID 2780 wrote to memory of 4968 2780 DOCUMENT.exe DOCUMENT.exe PID 2780 wrote to memory of 4968 2780 DOCUMENT.exe DOCUMENT.exe PID 2780 wrote to memory of 4500 2780 DOCUMENT.exe svchost.exe PID 2780 wrote to memory of 4500 2780 DOCUMENT.exe svchost.exe PID 2780 wrote to memory of 4500 2780 DOCUMENT.exe svchost.exe PID 2780 wrote to memory of 4144 2780 DOCUMENT.exe cmd.exe PID 2780 wrote to memory of 4144 2780 DOCUMENT.exe cmd.exe PID 2780 wrote to memory of 4144 2780 DOCUMENT.exe cmd.exe PID 2780 wrote to memory of 3152 2780 DOCUMENT.exe cmd.exe PID 2780 wrote to memory of 3152 2780 DOCUMENT.exe cmd.exe PID 2780 wrote to memory of 3152 2780 DOCUMENT.exe cmd.exe PID 2780 wrote to memory of 3308 2780 DOCUMENT.exe cmd.exe PID 2780 wrote to memory of 3308 2780 DOCUMENT.exe cmd.exe PID 2780 wrote to memory of 3308 2780 DOCUMENT.exe cmd.exe PID 3152 wrote to memory of 2456 3152 cmd.exe schtasks.exe PID 3152 wrote to memory of 2456 3152 cmd.exe schtasks.exe PID 3152 wrote to memory of 2456 3152 cmd.exe schtasks.exe -
outlook_office_path 1 IoCs
Processes:
DOCUMENT.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DOCUMENT.exe -
outlook_win_path 1 IoCs
Processes:
DOCUMENT.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DOCUMENT.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DOCUMENT.exe"C:\Users\Admin\AppData\Local\Temp\DOCUMENT.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\DOCUMENT.exe"C:\Users\Admin\AppData\Local\Temp\DOCUMENT.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:4968 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
PID:4500 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\DOCUMENT.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"2⤵PID:3308
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f3⤵
- Creates scheduled task(s)
PID:2456 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"2⤵PID:4144
-
C:\Users\Admin\AppData\Roaming\svchost\svchost.exeC:\Users\Admin\AppData\Roaming\svchost\svchost.exe1⤵
- Executes dropped EXE
PID:4368
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
401KB
MD5deba7b69f10f006b43b174d40e7094b7
SHA1ebec55598c21a17daf9aad948168bfa2d71c960d
SHA256cac89ee424be23bfb4784ffdbf398746e5b82e8eb800586441694e7e15afae14
SHA5120b78bd2fab64417727d01e296df1264611572e6557cfa4a93bca957e664f5eb3fb51d680688f5b61147d6b2a2841f5222f7360ec1fc7499b8f88501f46189c2a
-
Filesize
401KB
MD5deba7b69f10f006b43b174d40e7094b7
SHA1ebec55598c21a17daf9aad948168bfa2d71c960d
SHA256cac89ee424be23bfb4784ffdbf398746e5b82e8eb800586441694e7e15afae14
SHA5120b78bd2fab64417727d01e296df1264611572e6557cfa4a93bca957e664f5eb3fb51d680688f5b61147d6b2a2841f5222f7360ec1fc7499b8f88501f46189c2a
-
Filesize
401KB
MD5deba7b69f10f006b43b174d40e7094b7
SHA1ebec55598c21a17daf9aad948168bfa2d71c960d
SHA256cac89ee424be23bfb4784ffdbf398746e5b82e8eb800586441694e7e15afae14
SHA5120b78bd2fab64417727d01e296df1264611572e6557cfa4a93bca957e664f5eb3fb51d680688f5b61147d6b2a2841f5222f7360ec1fc7499b8f88501f46189c2a
-
Filesize
256KB
MD5dd044277b130d28e7c3048a2ccfed983
SHA196b78f716d8c0ba24cf82cb3ef044e11f40b5124
SHA256969d92769b77c7a8b56b94c0aec68e39aca1531d67ed9ad6600b4598430bb86b
SHA512d36fd762890a3e88820e9bcc52367cf927c9f0b5248f8562cb7dea2e99d3b02158575b221b090709a31549d8fc90302d58d954897f6357465aaad2d9b13fa56b
-
Filesize
335KB
MD5b0020c87478c9f63bfba85c7ed00013c
SHA1686f7f8c5b6e13c7f9516662e153f6f259bd1b2f
SHA256eaeea0396da04804b53d8886c3718ecae1687577e6601a6c85529b599aa40f1c
SHA51242cb2e4e7f82a9181a4c8ee7e44b0430f7692dfa1be50f175b31af55693bf49321988d5db181ad44b9abf9731dc99ba5e2b75ce3a0e9b65a911abcd25af36f69