Analysis
-
max time kernel
120s -
max time network
192s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
11-10-2023 19:26
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order 0156070.PDF.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
Purchase Order 0156070.PDF.exe
Resource
win10v2004-20230915-en
General
-
Target
Purchase Order 0156070.PDF.exe
-
Size
585KB
-
MD5
536a5ff0f223a0ce1fa5601624a91f1c
-
SHA1
e785ec6acb47820681a2047388d3aa4c3f008e7d
-
SHA256
f2d0ccfeeee010d03dbd6ccabf18e33fd6de842be318b5a800ad7793848ea410
-
SHA512
0bbd1eda03d8302d73d12dfeb85cd2470ec2a3217098305e7c7f1385e2cf89ac1dc884c9f1997075f7d61cd01b82a98ade1c6b3080821e4801fcea0ea749ada0
-
SSDEEP
12288:fTdYX9KMtD/F3LjRULYFVbVmk8mADwrbTeLKZk7WW5Z:GtRtDd3LlULUVbVmpmIwrHd0WW5
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.ksline.com.my - Port:
587 - Username:
[email protected] - Password:
ksline1410$$ - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2556-12-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2556-14-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2556-18-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2556-20-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2556-22-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2556-25-0x0000000004920000-0x0000000004960000-memory.dmp family_snakekeylogger -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Purchase Order 0156070.PDF.exedescription pid process target process PID 2668 set thread context of 2556 2668 Purchase Order 0156070.PDF.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Purchase Order 0156070.PDF.exeRegSvcs.exepid process 2668 Purchase Order 0156070.PDF.exe 2668 Purchase Order 0156070.PDF.exe 2556 RegSvcs.exe 2556 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Purchase Order 0156070.PDF.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2668 Purchase Order 0156070.PDF.exe Token: SeDebugPrivilege 2556 RegSvcs.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Purchase Order 0156070.PDF.exedescription pid process target process PID 2668 wrote to memory of 2556 2668 Purchase Order 0156070.PDF.exe RegSvcs.exe PID 2668 wrote to memory of 2556 2668 Purchase Order 0156070.PDF.exe RegSvcs.exe PID 2668 wrote to memory of 2556 2668 Purchase Order 0156070.PDF.exe RegSvcs.exe PID 2668 wrote to memory of 2556 2668 Purchase Order 0156070.PDF.exe RegSvcs.exe PID 2668 wrote to memory of 2556 2668 Purchase Order 0156070.PDF.exe RegSvcs.exe PID 2668 wrote to memory of 2556 2668 Purchase Order 0156070.PDF.exe RegSvcs.exe PID 2668 wrote to memory of 2556 2668 Purchase Order 0156070.PDF.exe RegSvcs.exe PID 2668 wrote to memory of 2556 2668 Purchase Order 0156070.PDF.exe RegSvcs.exe PID 2668 wrote to memory of 2556 2668 Purchase Order 0156070.PDF.exe RegSvcs.exe PID 2668 wrote to memory of 2556 2668 Purchase Order 0156070.PDF.exe RegSvcs.exe PID 2668 wrote to memory of 2556 2668 Purchase Order 0156070.PDF.exe RegSvcs.exe PID 2668 wrote to memory of 2556 2668 Purchase Order 0156070.PDF.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order 0156070.PDF.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order 0156070.PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2556