Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2023 13:19
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order 0620.PDF.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Purchase Order 0620.PDF.exe
Resource
win10v2004-20230220-en
General
-
Target
Purchase Order 0620.PDF.exe
-
Size
1.4MB
-
MD5
ce21d87f567ceca173a92c5a1b3ba148
-
SHA1
18d4d80d666d92644268f80e9eaa7946f399d44d
-
SHA256
9dcb7d8c883fea91934040f7249a70f39aad7e75345a3e13ad06d14399153df1
-
SHA512
6961ce4d1d2a301ac131f2dd81150b743b4e38b2e3cd8b31c8e9d251368e97f730a01f92e708183fd8009fe9037f2d9432c869effc31a91f34136c7e772298f0
-
SSDEEP
24576:lTbBv5rUFcDvfTPmHkTD4jLfgoPS+O6ZNqmSEF9SvXeMi0j8x+B5A4d7UGOQ8Oxv:PBHnTOHk30LfBP/ZcmSvXeMdj8xyxb/d
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5553654095:AAFY7fGm3A2NSyoJOWhzq_VfL3zRwqCo4Ow/sendMessage?chat_id=6183982484
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4032-273-0x0000000001300000-0x0000000001937000-memory.dmp family_snakekeylogger behavioral2/memory/4032-276-0x0000000001300000-0x0000000001326000-memory.dmp family_snakekeylogger -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4032-273-0x0000000001300000-0x0000000001937000-memory.dmp family_stormkitty behavioral2/memory/4032-276-0x0000000001300000-0x0000000001326000-memory.dmp family_stormkitty -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Purchase Order 0620.PDF.exewscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation Purchase Order 0620.PDF.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation wscript.exe -
Executes dropped EXE 2 IoCs
Processes:
cvpbv.exeRegSvcs.exepid process 4320 cvpbv.exe 4032 RegSvcs.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
cvpbv.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run cvpbv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "0\\frtx\\cvpbv.exe 0\\frtx\\mwfjldri.pdf" cvpbv.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 35 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cvpbv.exedescription pid process target process PID 4320 set thread context of 4032 4320 cvpbv.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exepid process 2480 ipconfig.exe 2104 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 4032 RegSvcs.exe 4032 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 4032 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 4032 RegSvcs.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
Purchase Order 0620.PDF.exewscript.execmd.execmd.execmd.execvpbv.exedescription pid process target process PID 1628 wrote to memory of 2040 1628 Purchase Order 0620.PDF.exe wscript.exe PID 1628 wrote to memory of 2040 1628 Purchase Order 0620.PDF.exe wscript.exe PID 1628 wrote to memory of 2040 1628 Purchase Order 0620.PDF.exe wscript.exe PID 2040 wrote to memory of 1596 2040 wscript.exe cmd.exe PID 2040 wrote to memory of 1596 2040 wscript.exe cmd.exe PID 2040 wrote to memory of 1596 2040 wscript.exe cmd.exe PID 2040 wrote to memory of 3256 2040 wscript.exe cmd.exe PID 2040 wrote to memory of 3256 2040 wscript.exe cmd.exe PID 2040 wrote to memory of 3256 2040 wscript.exe cmd.exe PID 1596 wrote to memory of 2480 1596 cmd.exe ipconfig.exe PID 1596 wrote to memory of 2480 1596 cmd.exe ipconfig.exe PID 1596 wrote to memory of 2480 1596 cmd.exe ipconfig.exe PID 3256 wrote to memory of 4320 3256 cmd.exe cvpbv.exe PID 3256 wrote to memory of 4320 3256 cmd.exe cvpbv.exe PID 3256 wrote to memory of 4320 3256 cmd.exe cvpbv.exe PID 2040 wrote to memory of 5020 2040 wscript.exe cmd.exe PID 2040 wrote to memory of 5020 2040 wscript.exe cmd.exe PID 2040 wrote to memory of 5020 2040 wscript.exe cmd.exe PID 5020 wrote to memory of 2104 5020 cmd.exe ipconfig.exe PID 5020 wrote to memory of 2104 5020 cmd.exe ipconfig.exe PID 5020 wrote to memory of 2104 5020 cmd.exe ipconfig.exe PID 4320 wrote to memory of 4032 4320 cvpbv.exe RegSvcs.exe PID 4320 wrote to memory of 4032 4320 cvpbv.exe RegSvcs.exe PID 4320 wrote to memory of 4032 4320 cvpbv.exe RegSvcs.exe PID 4320 wrote to memory of 4032 4320 cvpbv.exe RegSvcs.exe PID 4320 wrote to memory of 4032 4320 cvpbv.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order 0620.PDF.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order 0620.PDF.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" cwc.vbe2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /release4⤵
- Gathers network information
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cvpbv.exe mwfjldri.pdf3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cvpbv.execvpbv.exe mwfjldri.pdf4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /renew3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew4⤵
- Gathers network information
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\btfgkvg.xxcFilesize
216KB
MD5abb2f5e3e20291edb57e01be346b0e21
SHA1ce269857ead41a1de24c2576c85e5923d22be6ee
SHA256f9f3b57977b57f23740be41dc42dc5357a52198dbf133ebd0c5d25a635fc82c0
SHA5126a3552118d439192c8770fd4cef43f62fb0b93a58a5b4f66cdaf280941a2d670547d73a88bb0c3a70fe0c20e0f12bcbc75115b4c900a71dc7a1e9849c301986b
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cvpbv.exeFilesize
2.5MB
MD56392f0eda094b2e87a318e710ec0d613
SHA1a011c66bad7d90d306c9a9085f50c5b14f316251
SHA256cf2dbbcef3735e85c2e3c4ee03ad01fe39084da5ad8968961b3e66b98d87d235
SHA51276177f53d8f5d13cefb8834222cc7a976ea4f866129d7dcaa65c3b56f450da8fc8fbee16f38cccb5e02aa4f62d6154f1b2358d881899cd33e8a29171aaa0029d
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cwc.vbeFilesize
53KB
MD5e52fae50a8a40a59b795226d2de37fa6
SHA10b2018b672d3767678dc16aa9ed2832f2a17fd57
SHA256b4f5341aedd875e5c079cd1df931412ec0397b09a774659ad0d15fed9689136b
SHA5129486de7a8c6fe234f6f32694331d31f49cf817a844be69bd56773bd5b4f69271727d4041a15a1119c763c451b0adcffe0d135f6ad87218330411eab4cdd55764
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jnia.xmlFilesize
33KB
MD5dec56f2811b7f2aeafa950763ad1e7ba
SHA1cdfd898210007571e15d92fc868a5b0e8d410023
SHA2567a004bd5bbaf47fecbc7f058cd8cb213e4efdfa4e9e02c63d0d3737855651292
SHA5124794530a924599b30a68efeab3bb96c96508230d0015e22f73a59a6a323d507ddbf9023b92f0db636b9c6c3f86c47f9af40527f552319dbe3d45062c5d81ae7a
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mwfjldri.pdfFilesize
117.1MB
MD5ad2cbc6b0d41e86bdc56bf659ddc123b
SHA17e9a7a3786e57790ac5ddb765366432e38434635
SHA2568ceb7e7faa2cafaea3ea9b208e1819f8de4e613061904a71f062bfa2037e59de
SHA512f5654b2b1021f286c462ba80c0080359e7bdea0dd2869ceee23007d3f02e9cd84d039cab4f99c7c38e7e89ebc64b62645388b0e8d7e239a7d74d27fb13487c0d
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
memory/4032-273-0x0000000001300000-0x0000000001937000-memory.dmpFilesize
6.2MB
-
memory/4032-276-0x0000000001300000-0x0000000001326000-memory.dmpFilesize
152KB
-
memory/4032-277-0x00000000063C0000-0x0000000006964000-memory.dmpFilesize
5.6MB
-
memory/4032-278-0x0000000005EC0000-0x0000000005F5C000-memory.dmpFilesize
624KB
-
memory/4032-279-0x00000000061F0000-0x0000000006200000-memory.dmpFilesize
64KB
-
memory/4032-280-0x00000000061F0000-0x0000000006200000-memory.dmpFilesize
64KB
-
memory/4032-281-0x00000000073A0000-0x0000000007432000-memory.dmpFilesize
584KB
-
memory/4032-282-0x00000000076A0000-0x00000000076AA000-memory.dmpFilesize
40KB