Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27-09-2024 13:25
Static task
static1
Behavioral task
behavioral1
Sample
dekont.pdf.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
dekont.pdf.exe
Resource
win10v2004-20240802-en
General
-
Target
dekont.pdf.exe
-
Size
538KB
-
MD5
5fefb939b823e2ab745c9be76201cfb4
-
SHA1
59cad4aab5564363ec8ebd8c9c8784422679f867
-
SHA256
615a6cc0182c99d30f1421571d06684ebae0a937a38e91a6dc3925d68148eeb1
-
SHA512
2e56d553ba3110c5dc121113b26468513ea06902343c46bd96b8573672636c12633df10e3c41b7ffbd2c8fbb3b54bb413f5c8adb00596c3447105cc2c3fe9108
-
SSDEEP
12288:S9r++61ogaQ3+qQCydqVqcgHtC4wtd9qdm1BmJ27XdtTJV:S5++61o1MqJHwBtD
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
resource yara_rule behavioral1/memory/2932-30-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2932-28-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2932-25-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2932-23-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2932-29-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2676 powershell.exe 2464 powershell.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dekont.pdf.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dekont.pdf.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dekont.pdf.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1344 set thread context of 2932 1344 dekont.pdf.exe 38 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dekont.pdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dekont.pdf.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2752 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1344 dekont.pdf.exe 1344 dekont.pdf.exe 1344 dekont.pdf.exe 1344 dekont.pdf.exe 1344 dekont.pdf.exe 1344 dekont.pdf.exe 1344 dekont.pdf.exe 1344 dekont.pdf.exe 1344 dekont.pdf.exe 2676 powershell.exe 2464 powershell.exe 1344 dekont.pdf.exe 2932 dekont.pdf.exe 2932 dekont.pdf.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1344 dekont.pdf.exe Token: SeDebugPrivilege 2676 powershell.exe Token: SeDebugPrivilege 2464 powershell.exe Token: SeDebugPrivilege 2932 dekont.pdf.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 1344 wrote to memory of 2676 1344 dekont.pdf.exe 28 PID 1344 wrote to memory of 2676 1344 dekont.pdf.exe 28 PID 1344 wrote to memory of 2676 1344 dekont.pdf.exe 28 PID 1344 wrote to memory of 2676 1344 dekont.pdf.exe 28 PID 1344 wrote to memory of 2464 1344 dekont.pdf.exe 30 PID 1344 wrote to memory of 2464 1344 dekont.pdf.exe 30 PID 1344 wrote to memory of 2464 1344 dekont.pdf.exe 30 PID 1344 wrote to memory of 2464 1344 dekont.pdf.exe 30 PID 1344 wrote to memory of 2752 1344 dekont.pdf.exe 32 PID 1344 wrote to memory of 2752 1344 dekont.pdf.exe 32 PID 1344 wrote to memory of 2752 1344 dekont.pdf.exe 32 PID 1344 wrote to memory of 2752 1344 dekont.pdf.exe 32 PID 1344 wrote to memory of 2524 1344 dekont.pdf.exe 34 PID 1344 wrote to memory of 2524 1344 dekont.pdf.exe 34 PID 1344 wrote to memory of 2524 1344 dekont.pdf.exe 34 PID 1344 wrote to memory of 2524 1344 dekont.pdf.exe 34 PID 1344 wrote to memory of 2532 1344 dekont.pdf.exe 35 PID 1344 wrote to memory of 2532 1344 dekont.pdf.exe 35 PID 1344 wrote to memory of 2532 1344 dekont.pdf.exe 35 PID 1344 wrote to memory of 2532 1344 dekont.pdf.exe 35 PID 1344 wrote to memory of 2580 1344 dekont.pdf.exe 36 PID 1344 wrote to memory of 2580 1344 dekont.pdf.exe 36 PID 1344 wrote to memory of 2580 1344 dekont.pdf.exe 36 PID 1344 wrote to memory of 2580 1344 dekont.pdf.exe 36 PID 1344 wrote to memory of 1900 1344 dekont.pdf.exe 37 PID 1344 wrote to memory of 1900 1344 dekont.pdf.exe 37 PID 1344 wrote to memory of 1900 1344 dekont.pdf.exe 37 PID 1344 wrote to memory of 1900 1344 dekont.pdf.exe 37 PID 1344 wrote to memory of 2932 1344 dekont.pdf.exe 38 PID 1344 wrote to memory of 2932 1344 dekont.pdf.exe 38 PID 1344 wrote to memory of 2932 1344 dekont.pdf.exe 38 PID 1344 wrote to memory of 2932 1344 dekont.pdf.exe 38 PID 1344 wrote to memory of 2932 1344 dekont.pdf.exe 38 PID 1344 wrote to memory of 2932 1344 dekont.pdf.exe 38 PID 1344 wrote to memory of 2932 1344 dekont.pdf.exe 38 PID 1344 wrote to memory of 2932 1344 dekont.pdf.exe 38 PID 1344 wrote to memory of 2932 1344 dekont.pdf.exe 38 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dekont.pdf.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dekont.pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dekont.pdf.exe"C:\Users\Admin\AppData\Local\Temp\dekont.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\dekont.pdf.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LtqNXjPVtQPl.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LtqNXjPVtQPl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp79C2.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2752
-
-
C:\Users\Admin\AppData\Local\Temp\dekont.pdf.exe"C:\Users\Admin\AppData\Local\Temp\dekont.pdf.exe"2⤵PID:2524
-
-
C:\Users\Admin\AppData\Local\Temp\dekont.pdf.exe"C:\Users\Admin\AppData\Local\Temp\dekont.pdf.exe"2⤵PID:2532
-
-
C:\Users\Admin\AppData\Local\Temp\dekont.pdf.exe"C:\Users\Admin\AppData\Local\Temp\dekont.pdf.exe"2⤵PID:2580
-
-
C:\Users\Admin\AppData\Local\Temp\dekont.pdf.exe"C:\Users\Admin\AppData\Local\Temp\dekont.pdf.exe"2⤵PID:1900
-
-
C:\Users\Admin\AppData\Local\Temp\dekont.pdf.exe"C:\Users\Admin\AppData\Local\Temp\dekont.pdf.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2932
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52ed5abe5cddb8016f8283c9982fb66c9
SHA1c24fc41d8904d349b08c9d8881e8ed77d54221ce
SHA25617d1514eb123aaca73fae2286827a40372ebe47cf83f5397621bfe3861e6ff51
SHA51250ae0f8becc6dfd511d9300876a4f89378bc4929e4cb8543a87282497bd9956b887871e41dc2b9a11fb830760632bec2ae76f22010c82c7e2e98d948b15b2598
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD50ec6c14a5148e4454e495e786455f99b
SHA1ffa6a3375694ea14bf98d4171141290af1b46d5d
SHA256fd1c072e35ee7348795f3bbbd54924b4f9417ab83b2ef52f921f563b054cdeb8
SHA5125903e8ad70d53362ac1d4009eb8f2fccb035b446d6514161b0307d29e1e82e05b001f49f013f7a239edfe12222d91d76fa945263bed3ec7d22f5c44eb7230130