Overview

overview

10

Static

static

3

Purchase O...DF.exe

windows7-x64

10

Purchase O...DF.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-06-2023 13:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Purchase Order 0620.PDF.exe

  • Size

    1.4MB

  • MD5

    ce21d87f567ceca173a92c5a1b3ba148

  • SHA1

    18d4d80d666d92644268f80e9eaa7946f399d44d

  • SHA256

    9dcb7d8c883fea91934040f7249a70f39aad7e75345a3e13ad06d14399153df1

  • SHA512

    6961ce4d1d2a301ac131f2dd81150b743b4e38b2e3cd8b31c8e9d251368e97f730a01f92e708183fd8009fe9037f2d9432c869effc31a91f34136c7e772298f0

  • SSDEEP

    24576:lTbBv5rUFcDvfTPmHkTD4jLfgoPS+O6ZNqmSEF9SvXeMi0j8x+B5A4d7UGOQ8Oxv:PBHnTOHk30LfBP/ZcmSvXeMdj8xyxb/d

Score
10/10
snakekeyloggerstormkittycollectionkeyloggerpersistencespywarestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5553654095:AAFY7fGm3A2NSyoJOWhzq_VfL3zRwqCo4Ow/sendMessage?chat_id=6183982484

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 2 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Purchase Order 0620.PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase Order 0620.PDF.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" cwc.vbe
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2040
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ipconfig /release
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1596
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig /release
          4⤵
          • Gathers network information
          PID:2480
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c cvpbv.exe mwfjldri.pdf
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3256
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\cvpbv.exe
          cvpbv.exe mwfjldri.pdf
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4320
          • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
            "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
            5⤵
            • Executes dropped EXE
            • Accesses Microsoft Outlook profiles
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • outlook_office_path
            • outlook_win_path
            PID:4032
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ipconfig /renew
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5020
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig /renew
          4⤵
          • Gathers network information
          PID:2104

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\btfgkvg.xxc
    Filesize

    216KB

    MD5

    abb2f5e3e20291edb57e01be346b0e21

    SHA1

    ce269857ead41a1de24c2576c85e5923d22be6ee

    SHA256

    f9f3b57977b57f23740be41dc42dc5357a52198dbf133ebd0c5d25a635fc82c0

    SHA512

    6a3552118d439192c8770fd4cef43f62fb0b93a58a5b4f66cdaf280941a2d670547d73a88bb0c3a70fe0c20e0f12bcbc75115b4c900a71dc7a1e9849c301986b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\cvpbv.exe
    Filesize

    2.5MB

    MD5

    6392f0eda094b2e87a318e710ec0d613

    SHA1

    a011c66bad7d90d306c9a9085f50c5b14f316251

    SHA256

    cf2dbbcef3735e85c2e3c4ee03ad01fe39084da5ad8968961b3e66b98d87d235

    SHA512

    76177f53d8f5d13cefb8834222cc7a976ea4f866129d7dcaa65c3b56f450da8fc8fbee16f38cccb5e02aa4f62d6154f1b2358d881899cd33e8a29171aaa0029d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\cwc.vbe
    Filesize

    53KB

    MD5

    e52fae50a8a40a59b795226d2de37fa6

    SHA1

    0b2018b672d3767678dc16aa9ed2832f2a17fd57

    SHA256

    b4f5341aedd875e5c079cd1df931412ec0397b09a774659ad0d15fed9689136b

    SHA512

    9486de7a8c6fe234f6f32694331d31f49cf817a844be69bd56773bd5b4f69271727d4041a15a1119c763c451b0adcffe0d135f6ad87218330411eab4cdd55764

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\jnia.xml
    Filesize

    33KB

    MD5

    dec56f2811b7f2aeafa950763ad1e7ba

    SHA1

    cdfd898210007571e15d92fc868a5b0e8d410023

    SHA256

    7a004bd5bbaf47fecbc7f058cd8cb213e4efdfa4e9e02c63d0d3737855651292

    SHA512

    4794530a924599b30a68efeab3bb96c96508230d0015e22f73a59a6a323d507ddbf9023b92f0db636b9c6c3f86c47f9af40527f552319dbe3d45062c5d81ae7a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\mwfjldri.pdf
    Filesize

    117.1MB

    MD5

    ad2cbc6b0d41e86bdc56bf659ddc123b

    SHA1

    7e9a7a3786e57790ac5ddb765366432e38434635

    SHA256

    8ceb7e7faa2cafaea3ea9b208e1819f8de4e613061904a71f062bfa2037e59de

    SHA512

    f5654b2b1021f286c462ba80c0080359e7bdea0dd2869ceee23007d3f02e9cd84d039cab4f99c7c38e7e89ebc64b62645388b0e8d7e239a7d74d27fb13487c0d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    Filesize

    44KB

    MD5

    9d352bc46709f0cb5ec974633a0c3c94

    SHA1

    1969771b2f022f9a86d77ac4d4d239becdf08d07

    SHA256

    2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

    SHA512

    13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    Filesize

    44KB

    MD5

    9d352bc46709f0cb5ec974633a0c3c94

    SHA1

    1969771b2f022f9a86d77ac4d4d239becdf08d07

    SHA256

    2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

    SHA512

    13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

    Download Submit
  • memory/4032-273-0x0000000001300000-0x0000000001937000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/4032-276-0x0000000001300000-0x0000000001326000-memory.dmp
    Filesize

    152KB

    Download
  • memory/4032-277-0x00000000063C0000-0x0000000006964000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4032-278-0x0000000005EC0000-0x0000000005F5C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/4032-279-0x00000000061F0000-0x0000000006200000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4032-280-0x00000000061F0000-0x0000000006200000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4032-281-0x00000000073A0000-0x0000000007432000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4032-282-0x00000000076A0000-0x00000000076AA000-memory.dmp
    Filesize

    40KB

    Download