Analysis
-
max time kernel
115s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2024 17:47
Static task
static1
Behavioral task
behavioral1
Sample
ORDEN DE COMPRA URGENTE pdf.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
ORDEN DE COMPRA URGENTE pdf.exe
Resource
win10v2004-20240508-en
General
-
Target
ORDEN DE COMPRA URGENTE pdf.exe
-
Size
503KB
-
MD5
41604cd16b04a9ddb71e24c12cef8e1a
-
SHA1
c62dd24270afc456f5c5f1a8ebc3a4d9c20d18c6
-
SHA256
8f333d09b79c5f45f7724ef1eda6e0b811a7d2a8268f0580cf2a1b5d5e40b1de
-
SHA512
3f6bf8b3f1e5186ecc3deb2291ab653c248f26ddaf0d56ea47c497021ac76655941d3a647e5fde9d55c805a7ff4a0ea12cf1da7e26d919e1f5d36c29b2b7a1e8
-
SSDEEP
12288:SO/f2e5J2aFOh67jTrmRLFonFXz3UVbMUOPYI:1Uh4jfCTbMnn
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.gbogboro.com - Port:
587 - Username:
[email protected] - Password:
Lovelove@123
https://scratchdreams.tk
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3404-4-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
regsvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regsvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regsvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regsvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ORDEN DE COMPRA URGENTE pdf.exedescription pid process target process PID 4584 set thread context of 3404 4584 ORDEN DE COMPRA URGENTE pdf.exe regsvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvcs.exepid process 3404 regsvcs.exe 3404 regsvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
regsvcs.exedescription pid process Token: SeDebugPrivilege 3404 regsvcs.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
ORDEN DE COMPRA URGENTE pdf.exedescription pid process target process PID 4584 wrote to memory of 1652 4584 ORDEN DE COMPRA URGENTE pdf.exe CasPol.exe PID 4584 wrote to memory of 1652 4584 ORDEN DE COMPRA URGENTE pdf.exe CasPol.exe PID 4584 wrote to memory of 1652 4584 ORDEN DE COMPRA URGENTE pdf.exe CasPol.exe PID 4584 wrote to memory of 1108 4584 ORDEN DE COMPRA URGENTE pdf.exe msbuild.exe PID 4584 wrote to memory of 1108 4584 ORDEN DE COMPRA URGENTE pdf.exe msbuild.exe PID 4584 wrote to memory of 1108 4584 ORDEN DE COMPRA URGENTE pdf.exe msbuild.exe PID 4584 wrote to memory of 3404 4584 ORDEN DE COMPRA URGENTE pdf.exe regsvcs.exe PID 4584 wrote to memory of 3404 4584 ORDEN DE COMPRA URGENTE pdf.exe regsvcs.exe PID 4584 wrote to memory of 3404 4584 ORDEN DE COMPRA URGENTE pdf.exe regsvcs.exe PID 4584 wrote to memory of 3404 4584 ORDEN DE COMPRA URGENTE pdf.exe regsvcs.exe PID 4584 wrote to memory of 3404 4584 ORDEN DE COMPRA URGENTE pdf.exe regsvcs.exe PID 4584 wrote to memory of 3404 4584 ORDEN DE COMPRA URGENTE pdf.exe regsvcs.exe PID 4584 wrote to memory of 3404 4584 ORDEN DE COMPRA URGENTE pdf.exe regsvcs.exe PID 4584 wrote to memory of 3404 4584 ORDEN DE COMPRA URGENTE pdf.exe regsvcs.exe PID 4584 wrote to memory of 4316 4584 ORDEN DE COMPRA URGENTE pdf.exe regsvcs.exe PID 4584 wrote to memory of 4316 4584 ORDEN DE COMPRA URGENTE pdf.exe regsvcs.exe PID 4584 wrote to memory of 4316 4584 ORDEN DE COMPRA URGENTE pdf.exe regsvcs.exe -
outlook_office_path 1 IoCs
Processes:
regsvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regsvcs.exe -
outlook_win_path 1 IoCs
Processes:
regsvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regsvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ORDEN DE COMPRA URGENTE pdf.exe"C:\Users\Admin\AppData\Local\Temp\ORDEN DE COMPRA URGENTE pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵PID:1652
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"2⤵PID:1108
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3404 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"2⤵PID:4316
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4372,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=3848 /prefetch:81⤵PID:3848