Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
15-11-2023 14:48
Static task
static1
Behavioral task
behavioral1
Sample
Draft BL.pdf.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
Draft BL.pdf.exe
Resource
win10v2004-20231023-en
General
-
Target
Draft BL.pdf.exe
-
Size
593KB
-
MD5
26048e02ba3f8483fa15e7c0660c4c1e
-
SHA1
b98cf8f5a2f6b7f5801de10ae4873ca654958009
-
SHA256
93da5b68246f2c37789b4fe137f570a7eaf939810bedac23fc6ce070a19672e5
-
SHA512
bdbe4590761ac379980571458a71f9c9cf0133718ce00d7aa78fe8ca4f66344ae409808c764d1eb7e65bab9f4950d7bbc574cdcf2486be10feaafa95489ed726
-
SSDEEP
12288:HaHLlfxMEiWtZjRHUCwRwqYCQiURT+NEbQdf3id:QhpMEVZ4LXURYF
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.mct2.co.za - Port:
587 - Username:
[email protected] - Password:
00000
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4464-11-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Draft BL.pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Draft BL.pdf.exe Key opened \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Draft BL.pdf.exe Key opened \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Draft BL.pdf.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 61 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Draft BL.pdf.exedescription pid process target process PID 5040 set thread context of 4464 5040 Draft BL.pdf.exe Draft BL.pdf.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Draft BL.pdf.exepid process 4464 Draft BL.pdf.exe 4464 Draft BL.pdf.exe 4464 Draft BL.pdf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Draft BL.pdf.exesvchost.exedescription pid process Token: SeDebugPrivilege 4464 Draft BL.pdf.exe Token: SeManageVolumePrivilege 3204 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Draft BL.pdf.exedescription pid process target process PID 5040 wrote to memory of 4464 5040 Draft BL.pdf.exe Draft BL.pdf.exe PID 5040 wrote to memory of 4464 5040 Draft BL.pdf.exe Draft BL.pdf.exe PID 5040 wrote to memory of 4464 5040 Draft BL.pdf.exe Draft BL.pdf.exe PID 5040 wrote to memory of 4464 5040 Draft BL.pdf.exe Draft BL.pdf.exe PID 5040 wrote to memory of 4464 5040 Draft BL.pdf.exe Draft BL.pdf.exe PID 5040 wrote to memory of 4464 5040 Draft BL.pdf.exe Draft BL.pdf.exe PID 5040 wrote to memory of 4464 5040 Draft BL.pdf.exe Draft BL.pdf.exe PID 5040 wrote to memory of 4464 5040 Draft BL.pdf.exe Draft BL.pdf.exe -
outlook_office_path 1 IoCs
Processes:
Draft BL.pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Draft BL.pdf.exe -
outlook_win_path 1 IoCs
Processes:
Draft BL.pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Draft BL.pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Draft BL.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Draft BL.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\Draft BL.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Draft BL.pdf.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4464
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:3372
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3204
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3