Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2023 06:53
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE0986543009070.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
INVOICE0986543009070.exe
Resource
win10v2004-20231023-en
General
-
Target
INVOICE0986543009070.exe
-
Size
1.5MB
-
MD5
93532c5b21b858ef1b20042468b5b203
-
SHA1
908d8d3d7812ca76d7eff5e0a2566fed19fbc684
-
SHA256
53ba1575f48c3ed5ecc12fd858464360a9e49d81a2be4a1c9405690d1074e62e
-
SHA512
943161a06a5f01acfb0e6384dd85b3523aed6779e5aaaae6e61cda8d96585b2e6a5e20100baa384b23b5133ef2aa275ae2ac9bd5c3e73eb1acc3cbe87b682f7a
-
SSDEEP
24576:YzdAX+3YtCZOT/cz+qNdm88FpWDxMoawwhvF:YzdADTGFW8x9awqF
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/904-9-0x0000000000400000-0x0000000000428000-memory.dmp family_snakekeylogger -
Processes:
INVOICE0986543009070.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" INVOICE0986543009070.exe -
Processes:
INVOICE0986543009070.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\INVOICE0986543009070.exe = "0" INVOICE0986543009070.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths INVOICE0986543009070.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
INVOICE0986543009070.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions INVOICE0986543009070.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
INVOICE0986543009070.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools INVOICE0986543009070.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
INVOICE0986543009070.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion INVOICE0986543009070.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion INVOICE0986543009070.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
INVOICE0986543009070.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation INVOICE0986543009070.exe -
Processes:
INVOICE0986543009070.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths INVOICE0986543009070.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions INVOICE0986543009070.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\INVOICE0986543009070.exe = "0" INVOICE0986543009070.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
CasPol.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CasPol.exe Key opened \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CasPol.exe Key opened \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CasPol.exe -
Processes:
INVOICE0986543009070.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA INVOICE0986543009070.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" INVOICE0986543009070.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 checkip.dyndns.org -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
INVOICE0986543009070.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum INVOICE0986543009070.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 INVOICE0986543009070.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
INVOICE0986543009070.exedescription pid process target process PID 3688 set thread context of 904 3688 INVOICE0986543009070.exe CasPol.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
CasPol.exepowershell.exepid process 904 CasPol.exe 4888 powershell.exe 4888 powershell.exe 904 CasPol.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
CasPol.exepowershell.exedescription pid process Token: SeDebugPrivilege 904 CasPol.exe Token: SeDebugPrivilege 4888 powershell.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
INVOICE0986543009070.exedescription pid process target process PID 3688 wrote to memory of 4888 3688 INVOICE0986543009070.exe powershell.exe PID 3688 wrote to memory of 4888 3688 INVOICE0986543009070.exe powershell.exe PID 3688 wrote to memory of 4888 3688 INVOICE0986543009070.exe powershell.exe PID 3688 wrote to memory of 904 3688 INVOICE0986543009070.exe CasPol.exe PID 3688 wrote to memory of 904 3688 INVOICE0986543009070.exe CasPol.exe PID 3688 wrote to memory of 904 3688 INVOICE0986543009070.exe CasPol.exe PID 3688 wrote to memory of 904 3688 INVOICE0986543009070.exe CasPol.exe PID 3688 wrote to memory of 904 3688 INVOICE0986543009070.exe CasPol.exe PID 3688 wrote to memory of 904 3688 INVOICE0986543009070.exe CasPol.exe PID 3688 wrote to memory of 904 3688 INVOICE0986543009070.exe CasPol.exe PID 3688 wrote to memory of 904 3688 INVOICE0986543009070.exe CasPol.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
INVOICE0986543009070.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" INVOICE0986543009070.exe -
outlook_office_path 1 IoCs
Processes:
CasPol.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CasPol.exe -
outlook_win_path 1 IoCs
Processes:
CasPol.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CasPol.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INVOICE0986543009070.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE0986543009070.exe"1⤵
- UAC bypass
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3688 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\INVOICE0986543009070.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4888 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:904
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82