Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2023 02:36
Static task
static1
Behavioral task
behavioral1
Sample
PO 0206201.PDF.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
PO 0206201.PDF.exe
Resource
win10v2004-20231127-en
General
-
Target
PO 0206201.PDF.exe
-
Size
530KB
-
MD5
60be219d2b7d424ee98fdb703935ae34
-
SHA1
0e81927460a663cbe8d59a61e82b3d5b9a2cd310
-
SHA256
15840d8dbdb94d787598f7dc0821cf6c1b1c337697bb7369488e2c979d8f73a3
-
SHA512
695a5d750f5e7129402aa68dcb91b992b8d28aaaf287f5e6f5b932fbc714d9a05d22ea0913dd739d076020174b9a403abcf48e8ea089b7bc9e0221968b7b572d
-
SSDEEP
12288:SuXQaueH5qV5wmmdhif9OdMZTpLSzR+oQXlF7Au:Su1qPcdhE8d6IsdlF
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4176-11-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral2/memory/4176-19-0x0000000005AA0000-0x0000000005AB0000-memory.dmp family_snakekeylogger -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 50 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO 0206201.PDF.exedescription pid process target process PID 852 set thread context of 4176 852 PO 0206201.PDF.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
PO 0206201.PDF.exeRegSvcs.exepid process 852 PO 0206201.PDF.exe 852 PO 0206201.PDF.exe 4176 RegSvcs.exe 4176 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PO 0206201.PDF.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 852 PO 0206201.PDF.exe Token: SeDebugPrivilege 4176 RegSvcs.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
PO 0206201.PDF.exedescription pid process target process PID 852 wrote to memory of 4124 852 PO 0206201.PDF.exe RegSvcs.exe PID 852 wrote to memory of 4124 852 PO 0206201.PDF.exe RegSvcs.exe PID 852 wrote to memory of 4124 852 PO 0206201.PDF.exe RegSvcs.exe PID 852 wrote to memory of 4176 852 PO 0206201.PDF.exe RegSvcs.exe PID 852 wrote to memory of 4176 852 PO 0206201.PDF.exe RegSvcs.exe PID 852 wrote to memory of 4176 852 PO 0206201.PDF.exe RegSvcs.exe PID 852 wrote to memory of 4176 852 PO 0206201.PDF.exe RegSvcs.exe PID 852 wrote to memory of 4176 852 PO 0206201.PDF.exe RegSvcs.exe PID 852 wrote to memory of 4176 852 PO 0206201.PDF.exe RegSvcs.exe PID 852 wrote to memory of 4176 852 PO 0206201.PDF.exe RegSvcs.exe PID 852 wrote to memory of 4176 852 PO 0206201.PDF.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO 0206201.PDF.exe"C:\Users\Admin\AppData\Local\Temp\PO 0206201.PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:4124
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4176