Analysis
-
max time kernel
127s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 06:27
Static task
static1
Behavioral task
behavioral1
Sample
SHIPPING DOCUMENTS.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
SHIPPING DOCUMENTS.exe
Resource
win10v2004-20240508-en
General
-
Target
SHIPPING DOCUMENTS.exe
-
Size
1.2MB
-
MD5
1061052e6af2a0c5b93bd3208b799b53
-
SHA1
ae2717741a67a667810bc1acd0d2410fb3f123c7
-
SHA256
dd52c7558bea0e028364a138ed99a13962d0d8ac14c5c17b8645741ac82792bb
-
SHA512
53719347af2891281e8152538d700d03f1fe1f8226ad336a2be6d0da6d09c85aaa3c281a59465ea29c5a6e1d87729bd814a15e390e7bc2b19edb95f5aa0913ee
-
SSDEEP
12288:mmmWpzZDRj6jRPLjRPqjBjjyjBjBjBjBjLjuY1amldaailF/d85+BpNij60ToZUh:E1aAOFJT26IEIXj450RRe9cV
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot1634002210:AAGipukUEr-bNBgl2R1_hwFgfb9ez_v6wzE/sendMessage?chat_id=1401219117
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
SHIPPING DOCUMENTS.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SHIPPING DOCUMENTS.exe Key opened \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SHIPPING DOCUMENTS.exe Key opened \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SHIPPING DOCUMENTS.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SHIPPING DOCUMENTS.exedescription pid process target process PID 2152 set thread context of 936 2152 SHIPPING DOCUMENTS.exe SHIPPING DOCUMENTS.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 612 936 WerFault.exe SHIPPING DOCUMENTS.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
SHIPPING DOCUMENTS.exeSHIPPING DOCUMENTS.exepid process 2152 SHIPPING DOCUMENTS.exe 2152 SHIPPING DOCUMENTS.exe 936 SHIPPING DOCUMENTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SHIPPING DOCUMENTS.exeSHIPPING DOCUMENTS.exedescription pid process Token: SeDebugPrivilege 2152 SHIPPING DOCUMENTS.exe Token: SeDebugPrivilege 936 SHIPPING DOCUMENTS.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
SHIPPING DOCUMENTS.exeSHIPPING DOCUMENTS.exedescription pid process target process PID 2152 wrote to memory of 1948 2152 SHIPPING DOCUMENTS.exe SHIPPING DOCUMENTS.exe PID 2152 wrote to memory of 1948 2152 SHIPPING DOCUMENTS.exe SHIPPING DOCUMENTS.exe PID 2152 wrote to memory of 1948 2152 SHIPPING DOCUMENTS.exe SHIPPING DOCUMENTS.exe PID 2152 wrote to memory of 1948 2152 SHIPPING DOCUMENTS.exe SHIPPING DOCUMENTS.exe PID 2152 wrote to memory of 936 2152 SHIPPING DOCUMENTS.exe SHIPPING DOCUMENTS.exe PID 2152 wrote to memory of 936 2152 SHIPPING DOCUMENTS.exe SHIPPING DOCUMENTS.exe PID 2152 wrote to memory of 936 2152 SHIPPING DOCUMENTS.exe SHIPPING DOCUMENTS.exe PID 2152 wrote to memory of 936 2152 SHIPPING DOCUMENTS.exe SHIPPING DOCUMENTS.exe PID 2152 wrote to memory of 936 2152 SHIPPING DOCUMENTS.exe SHIPPING DOCUMENTS.exe PID 2152 wrote to memory of 936 2152 SHIPPING DOCUMENTS.exe SHIPPING DOCUMENTS.exe PID 2152 wrote to memory of 936 2152 SHIPPING DOCUMENTS.exe SHIPPING DOCUMENTS.exe PID 2152 wrote to memory of 936 2152 SHIPPING DOCUMENTS.exe SHIPPING DOCUMENTS.exe PID 2152 wrote to memory of 936 2152 SHIPPING DOCUMENTS.exe SHIPPING DOCUMENTS.exe PID 936 wrote to memory of 612 936 SHIPPING DOCUMENTS.exe WerFault.exe PID 936 wrote to memory of 612 936 SHIPPING DOCUMENTS.exe WerFault.exe PID 936 wrote to memory of 612 936 SHIPPING DOCUMENTS.exe WerFault.exe PID 936 wrote to memory of 612 936 SHIPPING DOCUMENTS.exe WerFault.exe -
outlook_office_path 1 IoCs
Processes:
SHIPPING DOCUMENTS.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SHIPPING DOCUMENTS.exe -
outlook_win_path 1 IoCs
Processes:
SHIPPING DOCUMENTS.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SHIPPING DOCUMENTS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe"C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe"C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe"C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 10443⤵
- Program crash
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/936-21-0x0000000074450000-0x0000000074B3E000-memory.dmpFilesize
6.9MB
-
memory/936-13-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/936-20-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/936-18-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/936-23-0x0000000074450000-0x0000000074B3E000-memory.dmpFilesize
6.9MB
-
memory/936-11-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/936-12-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/936-10-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/936-16-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/936-24-0x0000000074450000-0x0000000074B3E000-memory.dmpFilesize
6.9MB
-
memory/936-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2152-2-0x0000000074450000-0x0000000074B3E000-memory.dmpFilesize
6.9MB
-
memory/2152-0-0x000000007445E000-0x000000007445F000-memory.dmpFilesize
4KB
-
memory/2152-1-0x0000000000260000-0x000000000039E000-memory.dmpFilesize
1.2MB
-
memory/2152-9-0x0000000005580000-0x0000000005612000-memory.dmpFilesize
584KB
-
memory/2152-8-0x0000000074450000-0x0000000074B3E000-memory.dmpFilesize
6.9MB
-
memory/2152-22-0x0000000074450000-0x0000000074B3E000-memory.dmpFilesize
6.9MB
-
memory/2152-7-0x000000007445E000-0x000000007445F000-memory.dmpFilesize
4KB
-
memory/2152-6-0x0000000000650000-0x000000000065A000-memory.dmpFilesize
40KB