Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
-
submitted
27-11-2023 06:53
General
-
Target
INVOICE0986543009070.exe
-
Size
1.5MB
-
MD5
93532c5b21b858ef1b20042468b5b203
-
SHA1
908d8d3d7812ca76d7eff5e0a2566fed19fbc684
-
SHA256
53ba1575f48c3ed5ecc12fd858464360a9e49d81a2be4a1c9405690d1074e62e
-
SHA512
943161a06a5f01acfb0e6384dd85b3523aed6779e5aaaae6e61cda8d96585b2e6a5e20100baa384b23b5133ef2aa275ae2ac9bd5c3e73eb1acc3cbe87b682f7a
-
SSDEEP
24576:YzdAX+3YtCZOT/cz+qNdm88FpWDxMoawwhvF:YzdADTGFW8x9awqF
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 2 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Windows security modification 2 TTPs 3 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
-
System policy modification 1 TTPs 1 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\INVOICE0986543009070.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE0986543009070.exe"1⤵
- UAC bypass
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\INVOICE0986543009070.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
160KB
-
Filesize
320KB
-
Filesize
1.8MB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
624KB
-
Filesize
408KB
-
Filesize
104KB
-
Filesize
264KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
1.6MB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
40KB
-
Filesize
3.3MB
-
Filesize
136KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
200KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
652KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
408KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
216KB