Analysis
-
max time kernel
128s -
max time network
143s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
19/07/2023, 06:48
Static task
static1
Behavioral task
behavioral1
Sample
Profoma Invoice.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Profoma Invoice.exe
Resource
win10-20230703-en
Behavioral task
behavioral3
Sample
Profoma Invoice.exe
Resource
win10v2004-20230703-en
General
-
Target
Profoma Invoice.exe
-
Size
593KB
-
MD5
d07c13653cbed4cca2fde350e264d7ae
-
SHA1
7ad1d778bfe078670a651a0e9a9d662f2bf9a003
-
SHA256
b166f8281abdfa0539055969167c53f0d389af8bc8675a7455c1b74da2dddaa7
-
SHA512
586513a32ec114856a973e8dbf5af05da4dda5e178170cfe6fda90222b38c70fc151a71c0caf63c6a7c3121a4264840688cb41d3a39fa22bb11eea08110b32a9
-
SSDEEP
12288:jPYPfY7K+ArL4QGTqdRgePNd1MjlmA6wdNQRqHkUV3s5VFPE:jPYPgu+AP4mdPPP26XRykM
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
webmail.satnet.net - Port:
587 - Username:
[email protected] - Password:
reve1563
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
resource yara_rule behavioral2/memory/872-129-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Profoma Invoice.exe Key opened \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Profoma Invoice.exe Key opened \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Profoma Invoice.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2068 set thread context of 872 2068 Profoma Invoice.exe 71 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2068 Profoma Invoice.exe 2068 Profoma Invoice.exe 872 Profoma Invoice.exe 872 Profoma Invoice.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 872 Profoma Invoice.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2068 Profoma Invoice.exe Token: SeDebugPrivilege 872 Profoma Invoice.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2068 wrote to memory of 520 2068 Profoma Invoice.exe 70 PID 2068 wrote to memory of 520 2068 Profoma Invoice.exe 70 PID 2068 wrote to memory of 520 2068 Profoma Invoice.exe 70 PID 2068 wrote to memory of 872 2068 Profoma Invoice.exe 71 PID 2068 wrote to memory of 872 2068 Profoma Invoice.exe 71 PID 2068 wrote to memory of 872 2068 Profoma Invoice.exe 71 PID 2068 wrote to memory of 872 2068 Profoma Invoice.exe 71 PID 2068 wrote to memory of 872 2068 Profoma Invoice.exe 71 PID 2068 wrote to memory of 872 2068 Profoma Invoice.exe 71 PID 2068 wrote to memory of 872 2068 Profoma Invoice.exe 71 PID 2068 wrote to memory of 872 2068 Profoma Invoice.exe 71 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Profoma Invoice.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Profoma Invoice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Profoma Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Profoma Invoice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\Profoma Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Profoma Invoice.exe"2⤵PID:520
-
-
C:\Users\Admin\AppData\Local\Temp\Profoma Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Profoma Invoice.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:872
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50c2899d7c6746f42d5bbe088c777f94c
SHA1622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA2565b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078