Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27-09-2024 13:25

General

  • Target

    dekont.pdf.exe

  • Size

    538KB

  • MD5

    5fefb939b823e2ab745c9be76201cfb4

  • SHA1

    59cad4aab5564363ec8ebd8c9c8784422679f867

  • SHA256

    615a6cc0182c99d30f1421571d06684ebae0a937a38e91a6dc3925d68148eeb1

  • SHA512

    2e56d553ba3110c5dc121113b26468513ea06902343c46bd96b8573672636c12633df10e3c41b7ffbd2c8fbb3b54bb413f5c8adb00596c3447105cc2c3fe9108

  • SSDEEP

    12288:S9r++61ogaQ3+qQCydqVqcgHtC4wtd9qdm1BmJ27XdtTJV:S5++61o1MqJHwBtD

Malware Config

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

  • Snake Keylogger payload 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dekont.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\dekont.pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1344
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\dekont.pdf.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2676
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LtqNXjPVtQPl.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2464
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LtqNXjPVtQPl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp79C2.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2752
    • C:\Users\Admin\AppData\Local\Temp\dekont.pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\dekont.pdf.exe"
      2⤵
        PID:2524
      • C:\Users\Admin\AppData\Local\Temp\dekont.pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\dekont.pdf.exe"
        2⤵
          PID:2532
        • C:\Users\Admin\AppData\Local\Temp\dekont.pdf.exe
          "C:\Users\Admin\AppData\Local\Temp\dekont.pdf.exe"
          2⤵
            PID:2580
          • C:\Users\Admin\AppData\Local\Temp\dekont.pdf.exe
            "C:\Users\Admin\AppData\Local\Temp\dekont.pdf.exe"
            2⤵
              PID:1900
            • C:\Users\Admin\AppData\Local\Temp\dekont.pdf.exe
              "C:\Users\Admin\AppData\Local\Temp\dekont.pdf.exe"
              2⤵
              • Accesses Microsoft Outlook profiles
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • outlook_office_path
              • outlook_win_path
              PID:2932

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\tmp79C2.tmp

            Filesize

            1KB

            MD5

            2ed5abe5cddb8016f8283c9982fb66c9

            SHA1

            c24fc41d8904d349b08c9d8881e8ed77d54221ce

            SHA256

            17d1514eb123aaca73fae2286827a40372ebe47cf83f5397621bfe3861e6ff51

            SHA512

            50ae0f8becc6dfd511d9300876a4f89378bc4929e4cb8543a87282497bd9956b887871e41dc2b9a11fb830760632bec2ae76f22010c82c7e2e98d948b15b2598

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

            Filesize

            7KB

            MD5

            0ec6c14a5148e4454e495e786455f99b

            SHA1

            ffa6a3375694ea14bf98d4171141290af1b46d5d

            SHA256

            fd1c072e35ee7348795f3bbbd54924b4f9417ab83b2ef52f921f563b054cdeb8

            SHA512

            5903e8ad70d53362ac1d4009eb8f2fccb035b446d6514161b0307d29e1e82e05b001f49f013f7a239edfe12222d91d76fa945263bed3ec7d22f5c44eb7230130

          • memory/1344-4-0x0000000074E9E000-0x0000000074E9F000-memory.dmp

            Filesize

            4KB

          • memory/1344-31-0x0000000074E90000-0x000000007557E000-memory.dmp

            Filesize

            6.9MB

          • memory/1344-0-0x0000000074E9E000-0x0000000074E9F000-memory.dmp

            Filesize

            4KB

          • memory/1344-5-0x0000000074E90000-0x000000007557E000-memory.dmp

            Filesize

            6.9MB

          • memory/1344-6-0x00000000055B0000-0x0000000005618000-memory.dmp

            Filesize

            416KB

          • memory/1344-2-0x0000000074E90000-0x000000007557E000-memory.dmp

            Filesize

            6.9MB

          • memory/1344-1-0x00000000001D0000-0x000000000025E000-memory.dmp

            Filesize

            568KB

          • memory/1344-3-0x00000000004D0000-0x00000000004E0000-memory.dmp

            Filesize

            64KB

          • memory/2932-30-0x0000000000400000-0x0000000000426000-memory.dmp

            Filesize

            152KB

          • memory/2932-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

          • memory/2932-25-0x0000000000400000-0x0000000000426000-memory.dmp

            Filesize

            152KB

          • memory/2932-23-0x0000000000400000-0x0000000000426000-memory.dmp

            Filesize

            152KB

          • memory/2932-19-0x0000000000400000-0x0000000000426000-memory.dmp

            Filesize

            152KB

          • memory/2932-29-0x0000000000400000-0x0000000000426000-memory.dmp

            Filesize

            152KB

          • memory/2932-21-0x0000000000400000-0x0000000000426000-memory.dmp

            Filesize

            152KB

          • memory/2932-28-0x0000000000400000-0x0000000000426000-memory.dmp

            Filesize

            152KB