Analysis
-
max time kernel
117s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 14:24
Static task
static1
Behavioral task
behavioral1
Sample
80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exe
Resource
win10v2004-20231130-en
General
-
Target
80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exe
-
Size
239KB
-
MD5
12e099a0fd22ab8fc64e00b4047d2d7d
-
SHA1
928b5790c0c67faed8edd7fc5bf66d679907c7d2
-
SHA256
80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7
-
SHA512
00e0c8b3050b5a555ef02cc8f67f074b8ab7bab7dbd44aadaa50763a40a2ef4588ddf7a30bd5c32c8d505aecda4496c923bfe0b83cc526f128a2d91e19df902e
-
SSDEEP
6144:H0oy7KYoDObRpokvvXB+622SL5Y3IedceucOBY43bR:ldkvvXB+3U3IedIBY43b
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2720-6-0x0000000000400000-0x0000000000428000-memory.dmp family_snakekeylogger behavioral1/memory/2720-8-0x0000000000400000-0x0000000000428000-memory.dmp family_snakekeylogger behavioral1/memory/2720-10-0x0000000000400000-0x0000000000428000-memory.dmp family_snakekeylogger -
Processes:
80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exe -
Processes:
80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths 80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exe = "0" 80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions 80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools 80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exe -
Processes:
80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths 80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions 80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exe = "0" 80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
CasPol.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CasPol.exe Key opened \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CasPol.exe Key opened \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CasPol.exe -
Processes:
80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exedescription pid process target process PID 1280 set thread context of 2720 1280 80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exe CasPol.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
CasPol.exepowershell.exepid process 2720 CasPol.exe 2624 powershell.exe 2720 CasPol.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
CasPol.exepowershell.exedescription pid process Token: SeDebugPrivilege 2720 CasPol.exe Token: SeDebugPrivilege 2624 powershell.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exedescription pid process target process PID 1280 wrote to memory of 2624 1280 80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exe powershell.exe PID 1280 wrote to memory of 2624 1280 80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exe powershell.exe PID 1280 wrote to memory of 2624 1280 80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exe powershell.exe PID 1280 wrote to memory of 2624 1280 80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exe powershell.exe PID 1280 wrote to memory of 2720 1280 80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exe CasPol.exe PID 1280 wrote to memory of 2720 1280 80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exe CasPol.exe PID 1280 wrote to memory of 2720 1280 80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exe CasPol.exe PID 1280 wrote to memory of 2720 1280 80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exe CasPol.exe PID 1280 wrote to memory of 2720 1280 80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exe CasPol.exe PID 1280 wrote to memory of 2720 1280 80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exe CasPol.exe PID 1280 wrote to memory of 2720 1280 80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exe CasPol.exe PID 1280 wrote to memory of 2720 1280 80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exe CasPol.exe PID 1280 wrote to memory of 2720 1280 80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exe CasPol.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exe -
outlook_office_path 1 IoCs
Processes:
CasPol.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CasPol.exe -
outlook_win_path 1 IoCs
Processes:
CasPol.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CasPol.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exe"C:\Users\Admin\AppData\Local\Temp\80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exe"1⤵
- UAC bypass
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1280 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\80570b06c9d7f7e5dadbc63e8eb9e4a608de909b7f4a68315bad25fa594ab4b7.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2720
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4Virtualization/Sandbox Evasion
2