Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
28-11-2023 06:50
Static task
static1
Behavioral task
behavioral1
Sample
INV.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
INV.exe
Resource
win10v2004-20231127-en
General
-
Target
INV.exe
-
Size
674KB
-
MD5
b7d48d8454f4aa3ae1b0ed7e53559628
-
SHA1
acbe3e258e28449feaffd199cdf005dd3bec231c
-
SHA256
7c1725edad4a3366d166366f35d611e65705a084dc67f886b1963857f8dfa641
-
SHA512
a8509642e21e8c28cb8aa5959a63c0fb8affbf27c8102cc381734781b959d3122991498ee9f302b4a381b4e733beeed31316ef912e83c9fc41f08d2e0f482424
-
SSDEEP
12288:Tuid7BR6wTuHt1fKOGyfoAuuCQ1RP+OSMOcNojh31Pm+HX+Si:CipBelrGDAuuCQCGojh31e+3S
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2648-15-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2648-16-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2648-19-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2648-21-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2648-23-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2648-28-0x0000000002290000-0x00000000022D0000-memory.dmp family_snakekeylogger -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
INV.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 INV.exe Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 INV.exe Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 INV.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
INV.exedescription pid process target process PID 2880 set thread context of 2648 2880 INV.exe INV.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
INV.exeINV.exepowershell.exepid process 2880 INV.exe 2648 INV.exe 664 powershell.exe 2648 INV.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
INV.exeINV.exepowershell.exedescription pid process Token: SeDebugPrivilege 2880 INV.exe Token: SeDebugPrivilege 2648 INV.exe Token: SeDebugPrivilege 664 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
INV.exedescription pid process target process PID 2880 wrote to memory of 664 2880 INV.exe powershell.exe PID 2880 wrote to memory of 664 2880 INV.exe powershell.exe PID 2880 wrote to memory of 664 2880 INV.exe powershell.exe PID 2880 wrote to memory of 664 2880 INV.exe powershell.exe PID 2880 wrote to memory of 768 2880 INV.exe schtasks.exe PID 2880 wrote to memory of 768 2880 INV.exe schtasks.exe PID 2880 wrote to memory of 768 2880 INV.exe schtasks.exe PID 2880 wrote to memory of 768 2880 INV.exe schtasks.exe PID 2880 wrote to memory of 2656 2880 INV.exe INV.exe PID 2880 wrote to memory of 2656 2880 INV.exe INV.exe PID 2880 wrote to memory of 2656 2880 INV.exe INV.exe PID 2880 wrote to memory of 2656 2880 INV.exe INV.exe PID 2880 wrote to memory of 2648 2880 INV.exe INV.exe PID 2880 wrote to memory of 2648 2880 INV.exe INV.exe PID 2880 wrote to memory of 2648 2880 INV.exe INV.exe PID 2880 wrote to memory of 2648 2880 INV.exe INV.exe PID 2880 wrote to memory of 2648 2880 INV.exe INV.exe PID 2880 wrote to memory of 2648 2880 INV.exe INV.exe PID 2880 wrote to memory of 2648 2880 INV.exe INV.exe PID 2880 wrote to memory of 2648 2880 INV.exe INV.exe PID 2880 wrote to memory of 2648 2880 INV.exe INV.exe -
outlook_office_path 1 IoCs
Processes:
INV.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 INV.exe -
outlook_win_path 1 IoCs
Processes:
INV.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 INV.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INV.exe"C:\Users\Admin\AppData\Local\Temp\INV.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\VedVuxqfLPu.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:664 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VedVuxqfLPu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD95E.tmp"2⤵
- Creates scheduled task(s)
PID:768 -
C:\Users\Admin\AppData\Local\Temp\INV.exe"C:\Users\Admin\AppData\Local\Temp\INV.exe"2⤵PID:2656
-
C:\Users\Admin\AppData\Local\Temp\INV.exe"C:\Users\Admin\AppData\Local\Temp\INV.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2648
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD536a81ca58694ea4fd25daaae9491d2ae
SHA170073ff3041afef99101850d206be5c5ea2320f3
SHA256da67173ebd38afbedc3cd1d63761797d1b0f2dbd842a36aa7b593cbc39aeb910
SHA512b6ef806fd7db8198c0f62a4d6f1361a0ae4f9dd00ea1aa19e5f3a07b68ee499a9edb1210925b2c61f6f2d1f9d176cdc3a0f2d349fc0f73e8d0d1e8f295ebba8e