Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
27-11-2023 06:55
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE0986543009070.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
INVOICE0986543009070.exe
Resource
win10v2004-20231020-en
General
-
Target
INVOICE0986543009070.exe
-
Size
1.5MB
-
MD5
93532c5b21b858ef1b20042468b5b203
-
SHA1
908d8d3d7812ca76d7eff5e0a2566fed19fbc684
-
SHA256
53ba1575f48c3ed5ecc12fd858464360a9e49d81a2be4a1c9405690d1074e62e
-
SHA512
943161a06a5f01acfb0e6384dd85b3523aed6779e5aaaae6e61cda8d96585b2e6a5e20100baa384b23b5133ef2aa275ae2ac9bd5c3e73eb1acc3cbe87b682f7a
-
SSDEEP
24576:YzdAX+3YtCZOT/cz+qNdm88FpWDxMoawwhvF:YzdADTGFW8x9awqF
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2780-5-0x0000000000400000-0x0000000000428000-memory.dmp family_snakekeylogger behavioral1/memory/2780-9-0x0000000000400000-0x0000000000428000-memory.dmp family_snakekeylogger behavioral1/memory/2780-7-0x0000000000400000-0x0000000000428000-memory.dmp family_snakekeylogger -
Processes:
INVOICE0986543009070.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" INVOICE0986543009070.exe -
Processes:
INVOICE0986543009070.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths INVOICE0986543009070.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\INVOICE0986543009070.exe = "0" INVOICE0986543009070.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
INVOICE0986543009070.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions INVOICE0986543009070.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
INVOICE0986543009070.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools INVOICE0986543009070.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
INVOICE0986543009070.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion INVOICE0986543009070.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion INVOICE0986543009070.exe -
Processes:
INVOICE0986543009070.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths INVOICE0986543009070.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions INVOICE0986543009070.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\INVOICE0986543009070.exe = "0" INVOICE0986543009070.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
CasPol.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CasPol.exe Key opened \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CasPol.exe Key opened \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CasPol.exe -
Processes:
INVOICE0986543009070.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" INVOICE0986543009070.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA INVOICE0986543009070.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
INVOICE0986543009070.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum INVOICE0986543009070.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 INVOICE0986543009070.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
INVOICE0986543009070.exedescription pid process target process PID 2144 set thread context of 2780 2144 INVOICE0986543009070.exe CasPol.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
CasPol.exepowershell.exepid process 2780 CasPol.exe 2704 powershell.exe 2780 CasPol.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
CasPol.exepowershell.exedescription pid process Token: SeDebugPrivilege 2780 CasPol.exe Token: SeDebugPrivilege 2704 powershell.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
INVOICE0986543009070.exedescription pid process target process PID 2144 wrote to memory of 2704 2144 INVOICE0986543009070.exe powershell.exe PID 2144 wrote to memory of 2704 2144 INVOICE0986543009070.exe powershell.exe PID 2144 wrote to memory of 2704 2144 INVOICE0986543009070.exe powershell.exe PID 2144 wrote to memory of 2704 2144 INVOICE0986543009070.exe powershell.exe PID 2144 wrote to memory of 2780 2144 INVOICE0986543009070.exe CasPol.exe PID 2144 wrote to memory of 2780 2144 INVOICE0986543009070.exe CasPol.exe PID 2144 wrote to memory of 2780 2144 INVOICE0986543009070.exe CasPol.exe PID 2144 wrote to memory of 2780 2144 INVOICE0986543009070.exe CasPol.exe PID 2144 wrote to memory of 2780 2144 INVOICE0986543009070.exe CasPol.exe PID 2144 wrote to memory of 2780 2144 INVOICE0986543009070.exe CasPol.exe PID 2144 wrote to memory of 2780 2144 INVOICE0986543009070.exe CasPol.exe PID 2144 wrote to memory of 2780 2144 INVOICE0986543009070.exe CasPol.exe PID 2144 wrote to memory of 2780 2144 INVOICE0986543009070.exe CasPol.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
INVOICE0986543009070.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" INVOICE0986543009070.exe -
outlook_office_path 1 IoCs
Processes:
CasPol.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CasPol.exe -
outlook_win_path 1 IoCs
Processes:
CasPol.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CasPol.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INVOICE0986543009070.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE0986543009070.exe"1⤵
- UAC bypass
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2144 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\INVOICE0986543009070.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2780
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4Virtualization/Sandbox Evasion
2