Analysis
-
max time kernel
136s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
02-06-2023 13:19
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order 0620.PDF.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Purchase Order 0620.PDF.exe
Resource
win10v2004-20230220-en
General
-
Target
Purchase Order 0620.PDF.exe
-
Size
1.4MB
-
MD5
ce21d87f567ceca173a92c5a1b3ba148
-
SHA1
18d4d80d666d92644268f80e9eaa7946f399d44d
-
SHA256
9dcb7d8c883fea91934040f7249a70f39aad7e75345a3e13ad06d14399153df1
-
SHA512
6961ce4d1d2a301ac131f2dd81150b743b4e38b2e3cd8b31c8e9d251368e97f730a01f92e708183fd8009fe9037f2d9432c869effc31a91f34136c7e772298f0
-
SSDEEP
24576:lTbBv5rUFcDvfTPmHkTD4jLfgoPS+O6ZNqmSEF9SvXeMi0j8x+B5A4d7UGOQ8Oxv:PBHnTOHk30LfBP/ZcmSvXeMdj8xyxb/d
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5553654095:AAFY7fGm3A2NSyoJOWhzq_VfL3zRwqCo4Ow/sendMessage?chat_id=6183982484
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1444-199-0x0000000000260000-0x0000000000897000-memory.dmp family_snakekeylogger behavioral1/memory/1444-202-0x0000000000260000-0x0000000000897000-memory.dmp family_snakekeylogger behavioral1/memory/1444-204-0x0000000000260000-0x0000000000897000-memory.dmp family_snakekeylogger behavioral1/memory/1444-206-0x0000000000260000-0x0000000000286000-memory.dmp family_snakekeylogger behavioral1/memory/1444-207-0x0000000005150000-0x0000000005190000-memory.dmp family_snakekeylogger behavioral1/memory/1444-208-0x0000000005150000-0x0000000005190000-memory.dmp family_snakekeylogger -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1444-199-0x0000000000260000-0x0000000000897000-memory.dmp family_stormkitty behavioral1/memory/1444-202-0x0000000000260000-0x0000000000897000-memory.dmp family_stormkitty behavioral1/memory/1444-204-0x0000000000260000-0x0000000000897000-memory.dmp family_stormkitty behavioral1/memory/1444-206-0x0000000000260000-0x0000000000286000-memory.dmp family_stormkitty behavioral1/memory/1444-207-0x0000000005150000-0x0000000005190000-memory.dmp family_stormkitty -
Executes dropped EXE 2 IoCs
Processes:
cvpbv.exeRegSvcs.exepid process 1344 cvpbv.exe 1444 RegSvcs.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.execvpbv.exepid process 1616 cmd.exe 1344 cvpbv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
cvpbv.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run cvpbv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "0\\frtx\\cvpbv.exe 0\\frtx\\mwfjldri.pdf" cvpbv.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cvpbv.exedescription pid process target process PID 1344 set thread context of 1444 1344 cvpbv.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exepid process 916 ipconfig.exe 668 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 1444 RegSvcs.exe 1444 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 1444 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 1444 RegSvcs.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
Purchase Order 0620.PDF.exewscript.execmd.execmd.execmd.execvpbv.exedescription pid process target process PID 1348 wrote to memory of 2008 1348 Purchase Order 0620.PDF.exe wscript.exe PID 1348 wrote to memory of 2008 1348 Purchase Order 0620.PDF.exe wscript.exe PID 1348 wrote to memory of 2008 1348 Purchase Order 0620.PDF.exe wscript.exe PID 1348 wrote to memory of 2008 1348 Purchase Order 0620.PDF.exe wscript.exe PID 2008 wrote to memory of 1728 2008 wscript.exe cmd.exe PID 2008 wrote to memory of 1728 2008 wscript.exe cmd.exe PID 2008 wrote to memory of 1728 2008 wscript.exe cmd.exe PID 2008 wrote to memory of 1728 2008 wscript.exe cmd.exe PID 2008 wrote to memory of 1616 2008 wscript.exe cmd.exe PID 2008 wrote to memory of 1616 2008 wscript.exe cmd.exe PID 2008 wrote to memory of 1616 2008 wscript.exe cmd.exe PID 2008 wrote to memory of 1616 2008 wscript.exe cmd.exe PID 1728 wrote to memory of 916 1728 cmd.exe ipconfig.exe PID 1728 wrote to memory of 916 1728 cmd.exe ipconfig.exe PID 1728 wrote to memory of 916 1728 cmd.exe ipconfig.exe PID 1728 wrote to memory of 916 1728 cmd.exe ipconfig.exe PID 1616 wrote to memory of 1344 1616 cmd.exe cvpbv.exe PID 1616 wrote to memory of 1344 1616 cmd.exe cvpbv.exe PID 1616 wrote to memory of 1344 1616 cmd.exe cvpbv.exe PID 1616 wrote to memory of 1344 1616 cmd.exe cvpbv.exe PID 1616 wrote to memory of 1344 1616 cmd.exe cvpbv.exe PID 1616 wrote to memory of 1344 1616 cmd.exe cvpbv.exe PID 1616 wrote to memory of 1344 1616 cmd.exe cvpbv.exe PID 2008 wrote to memory of 768 2008 wscript.exe cmd.exe PID 2008 wrote to memory of 768 2008 wscript.exe cmd.exe PID 2008 wrote to memory of 768 2008 wscript.exe cmd.exe PID 2008 wrote to memory of 768 2008 wscript.exe cmd.exe PID 768 wrote to memory of 668 768 cmd.exe ipconfig.exe PID 768 wrote to memory of 668 768 cmd.exe ipconfig.exe PID 768 wrote to memory of 668 768 cmd.exe ipconfig.exe PID 768 wrote to memory of 668 768 cmd.exe ipconfig.exe PID 1344 wrote to memory of 1444 1344 cvpbv.exe RegSvcs.exe PID 1344 wrote to memory of 1444 1344 cvpbv.exe RegSvcs.exe PID 1344 wrote to memory of 1444 1344 cvpbv.exe RegSvcs.exe PID 1344 wrote to memory of 1444 1344 cvpbv.exe RegSvcs.exe PID 1344 wrote to memory of 1444 1344 cvpbv.exe RegSvcs.exe PID 1344 wrote to memory of 1444 1344 cvpbv.exe RegSvcs.exe PID 1344 wrote to memory of 1444 1344 cvpbv.exe RegSvcs.exe PID 1344 wrote to memory of 1444 1344 cvpbv.exe RegSvcs.exe PID 1344 wrote to memory of 1444 1344 cvpbv.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order 0620.PDF.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order 0620.PDF.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" cwc.vbe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /release4⤵
- Gathers network information
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cvpbv.exe mwfjldri.pdf3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cvpbv.execvpbv.exe mwfjldri.pdf4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /renew3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew4⤵
- Gathers network information
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\btfgkvg.xxcFilesize
216KB
MD5abb2f5e3e20291edb57e01be346b0e21
SHA1ce269857ead41a1de24c2576c85e5923d22be6ee
SHA256f9f3b57977b57f23740be41dc42dc5357a52198dbf133ebd0c5d25a635fc82c0
SHA5126a3552118d439192c8770fd4cef43f62fb0b93a58a5b4f66cdaf280941a2d670547d73a88bb0c3a70fe0c20e0f12bcbc75115b4c900a71dc7a1e9849c301986b
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cvpbv.exeFilesize
2.5MB
MD56392f0eda094b2e87a318e710ec0d613
SHA1a011c66bad7d90d306c9a9085f50c5b14f316251
SHA256cf2dbbcef3735e85c2e3c4ee03ad01fe39084da5ad8968961b3e66b98d87d235
SHA51276177f53d8f5d13cefb8834222cc7a976ea4f866129d7dcaa65c3b56f450da8fc8fbee16f38cccb5e02aa4f62d6154f1b2358d881899cd33e8a29171aaa0029d
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cvpbv.exeFilesize
2.5MB
MD56392f0eda094b2e87a318e710ec0d613
SHA1a011c66bad7d90d306c9a9085f50c5b14f316251
SHA256cf2dbbcef3735e85c2e3c4ee03ad01fe39084da5ad8968961b3e66b98d87d235
SHA51276177f53d8f5d13cefb8834222cc7a976ea4f866129d7dcaa65c3b56f450da8fc8fbee16f38cccb5e02aa4f62d6154f1b2358d881899cd33e8a29171aaa0029d
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cwc.vbeFilesize
53KB
MD5e52fae50a8a40a59b795226d2de37fa6
SHA10b2018b672d3767678dc16aa9ed2832f2a17fd57
SHA256b4f5341aedd875e5c079cd1df931412ec0397b09a774659ad0d15fed9689136b
SHA5129486de7a8c6fe234f6f32694331d31f49cf817a844be69bd56773bd5b4f69271727d4041a15a1119c763c451b0adcffe0d135f6ad87218330411eab4cdd55764
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jnia.xmlFilesize
33KB
MD5dec56f2811b7f2aeafa950763ad1e7ba
SHA1cdfd898210007571e15d92fc868a5b0e8d410023
SHA2567a004bd5bbaf47fecbc7f058cd8cb213e4efdfa4e9e02c63d0d3737855651292
SHA5124794530a924599b30a68efeab3bb96c96508230d0015e22f73a59a6a323d507ddbf9023b92f0db636b9c6c3f86c47f9af40527f552319dbe3d45062c5d81ae7a
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mwfjldri.pdfFilesize
117.1MB
MD5ad2cbc6b0d41e86bdc56bf659ddc123b
SHA17e9a7a3786e57790ac5ddb765366432e38434635
SHA2568ceb7e7faa2cafaea3ea9b208e1819f8de4e613061904a71f062bfa2037e59de
SHA512f5654b2b1021f286c462ba80c0080359e7bdea0dd2869ceee23007d3f02e9cd84d039cab4f99c7c38e7e89ebc64b62645388b0e8d7e239a7d74d27fb13487c0d
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
\Users\Admin\AppData\Local\Temp\RarSFX0\cvpbv.exeFilesize
2.5MB
MD56392f0eda094b2e87a318e710ec0d613
SHA1a011c66bad7d90d306c9a9085f50c5b14f316251
SHA256cf2dbbcef3735e85c2e3c4ee03ad01fe39084da5ad8968961b3e66b98d87d235
SHA51276177f53d8f5d13cefb8834222cc7a976ea4f866129d7dcaa65c3b56f450da8fc8fbee16f38cccb5e02aa4f62d6154f1b2358d881899cd33e8a29171aaa0029d
-
\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
memory/1444-197-0x0000000000260000-0x0000000000897000-memory.dmpFilesize
6.2MB
-
memory/1444-199-0x0000000000260000-0x0000000000897000-memory.dmpFilesize
6.2MB
-
memory/1444-202-0x0000000000260000-0x0000000000897000-memory.dmpFilesize
6.2MB
-
memory/1444-204-0x0000000000260000-0x0000000000897000-memory.dmpFilesize
6.2MB
-
memory/1444-198-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1444-206-0x0000000000260000-0x0000000000286000-memory.dmpFilesize
152KB
-
memory/1444-207-0x0000000005150000-0x0000000005190000-memory.dmpFilesize
256KB
-
memory/1444-208-0x0000000005150000-0x0000000005190000-memory.dmpFilesize
256KB