Analysis
-
max time kernel
135s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 13:28
Static task
static1
Behavioral task
behavioral1
Sample
Invoice.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Invoice.exe
Resource
win10v2004-20240508-en
General
-
Target
Invoice.exe
-
Size
557KB
-
MD5
7ccea594742ef8616d4329ae4b13d65f
-
SHA1
2cc66eb1781ca1389e5b961f6904ba819770cf62
-
SHA256
3235c0cc1e4c983e8e11ad3f9fe6af66cf5cda2d4f4730f84cd290d877136b6c
-
SHA512
59eef8e1cbedf34393b262f3d84e61a67e552db3ce8d95c492d5559449694d2d6324882c84b844d496b2ae9a7a81dd42df81b6a0a4ff74a8c02e964a680d4a3d
-
SSDEEP
12288:dVTlZnKl3tPs75yJfVtHNrx8ACBUtjKxisU9zJDs1K4YJHg6gi/:nZZKlCYJdBN98AC65izUrow9H+i
Malware Config
Extracted
Protocol: smtp- Host:
mail.speedhouseoman.com - Port:
587 - Username:
[email protected] - Password:
SpH@0084
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.speedhouseoman.com - Port:
587 - Username:
[email protected] - Password:
SpH@0084
https://scratchdreams.tk
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1360-21-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Invoice.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation Invoice.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Invoice.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Invoice.exe Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Invoice.exe Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Invoice.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 34 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Invoice.exedescription pid process target process PID 1060 set thread context of 1360 1060 Invoice.exe Invoice.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
Invoice.exepowershell.exepid process 1360 Invoice.exe 1360 Invoice.exe 4388 powershell.exe 4388 powershell.exe 4388 powershell.exe 1360 Invoice.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeInvoice.exedescription pid process Token: SeDebugPrivilege 4388 powershell.exe Token: SeDebugPrivilege 1360 Invoice.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Invoice.exedescription pid process target process PID 1060 wrote to memory of 4388 1060 Invoice.exe powershell.exe PID 1060 wrote to memory of 4388 1060 Invoice.exe powershell.exe PID 1060 wrote to memory of 4388 1060 Invoice.exe powershell.exe PID 1060 wrote to memory of 3736 1060 Invoice.exe schtasks.exe PID 1060 wrote to memory of 3736 1060 Invoice.exe schtasks.exe PID 1060 wrote to memory of 3736 1060 Invoice.exe schtasks.exe PID 1060 wrote to memory of 1360 1060 Invoice.exe Invoice.exe PID 1060 wrote to memory of 1360 1060 Invoice.exe Invoice.exe PID 1060 wrote to memory of 1360 1060 Invoice.exe Invoice.exe PID 1060 wrote to memory of 1360 1060 Invoice.exe Invoice.exe PID 1060 wrote to memory of 1360 1060 Invoice.exe Invoice.exe PID 1060 wrote to memory of 1360 1060 Invoice.exe Invoice.exe PID 1060 wrote to memory of 1360 1060 Invoice.exe Invoice.exe PID 1060 wrote to memory of 1360 1060 Invoice.exe Invoice.exe -
outlook_office_path 1 IoCs
Processes:
Invoice.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Invoice.exe -
outlook_win_path 1 IoCs
Processes:
Invoice.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Invoice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Invoice.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xHctVCfBs.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xHctVCfBs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp12B8.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Invoice.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4256,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=1036 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2pninq33.w0r.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmp12B8.tmpFilesize
1KB
MD5fcf8bb331a981bf080e84a1b66f4898f
SHA1b0b4b501ce96c0721418864d57e20b0eb081918e
SHA25613bd24a917cc70f19243f942e8a63c4c6747b890c72479779f16811dd9f58871
SHA5125e1f2831856b5574d2c86cc51f67e81d8599893df68cf725185b3c64c46a6a30a266315dd8b47c1c6c646d6623fb6f9cff6d213f9fe630fb6ce8376e9bc8cc22
-
memory/1060-10-0x0000000009100000-0x000000000919C000-memory.dmpFilesize
624KB
-
memory/1060-0-0x000000007500E000-0x000000007500F000-memory.dmpFilesize
4KB
-
memory/1060-4-0x0000000005510000-0x000000000551A000-memory.dmpFilesize
40KB
-
memory/1060-5-0x0000000075000000-0x00000000757B0000-memory.dmpFilesize
7.7MB
-
memory/1060-6-0x0000000005870000-0x00000000058F6000-memory.dmpFilesize
536KB
-
memory/1060-7-0x00000000067C0000-0x00000000067DA000-memory.dmpFilesize
104KB
-
memory/1060-8-0x0000000005650000-0x0000000005660000-memory.dmpFilesize
64KB
-
memory/1060-9-0x0000000006A70000-0x0000000006AD8000-memory.dmpFilesize
416KB
-
memory/1060-1-0x00000000009F0000-0x0000000000A80000-memory.dmpFilesize
576KB
-
memory/1060-3-0x0000000005460000-0x00000000054F2000-memory.dmpFilesize
584KB
-
memory/1060-24-0x0000000075000000-0x00000000757B0000-memory.dmpFilesize
7.7MB
-
memory/1060-2-0x0000000005910000-0x0000000005EB4000-memory.dmpFilesize
5.6MB
-
memory/1360-68-0x0000000006810000-0x00000000069D2000-memory.dmpFilesize
1.8MB
-
memory/1360-67-0x00000000065F0000-0x0000000006640000-memory.dmpFilesize
320KB
-
memory/1360-66-0x0000000075000000-0x00000000757B0000-memory.dmpFilesize
7.7MB
-
memory/1360-21-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1360-69-0x0000000006F10000-0x000000000743C000-memory.dmpFilesize
5.2MB
-
memory/1360-23-0x0000000075000000-0x00000000757B0000-memory.dmpFilesize
7.7MB
-
memory/1360-28-0x0000000075000000-0x00000000757B0000-memory.dmpFilesize
7.7MB
-
memory/4388-15-0x0000000002EB0000-0x0000000002EE6000-memory.dmpFilesize
216KB
-
memory/4388-56-0x0000000007B30000-0x0000000007B3A000-memory.dmpFilesize
40KB
-
memory/4388-27-0x0000000006130000-0x0000000006196000-memory.dmpFilesize
408KB
-
memory/4388-25-0x0000000006020000-0x0000000006042000-memory.dmpFilesize
136KB
-
memory/4388-38-0x00000000061A0000-0x00000000064F4000-memory.dmpFilesize
3.3MB
-
memory/4388-39-0x0000000006770000-0x000000000678E000-memory.dmpFilesize
120KB
-
memory/4388-40-0x00000000067B0000-0x00000000067FC000-memory.dmpFilesize
304KB
-
memory/4388-42-0x0000000070A30000-0x0000000070A7C000-memory.dmpFilesize
304KB
-
memory/4388-41-0x0000000007730000-0x0000000007762000-memory.dmpFilesize
200KB
-
memory/4388-52-0x0000000006D50000-0x0000000006D6E000-memory.dmpFilesize
120KB
-
memory/4388-53-0x0000000007980000-0x0000000007A23000-memory.dmpFilesize
652KB
-
memory/4388-54-0x0000000008100000-0x000000000877A000-memory.dmpFilesize
6.5MB
-
memory/4388-55-0x0000000007AC0000-0x0000000007ADA000-memory.dmpFilesize
104KB
-
memory/4388-26-0x00000000060C0000-0x0000000006126000-memory.dmpFilesize
408KB
-
memory/4388-57-0x0000000007D40000-0x0000000007DD6000-memory.dmpFilesize
600KB
-
memory/4388-58-0x0000000007CC0000-0x0000000007CD1000-memory.dmpFilesize
68KB
-
memory/4388-59-0x0000000007CF0000-0x0000000007CFE000-memory.dmpFilesize
56KB
-
memory/4388-60-0x0000000007D00000-0x0000000007D14000-memory.dmpFilesize
80KB
-
memory/4388-61-0x0000000007E00000-0x0000000007E1A000-memory.dmpFilesize
104KB
-
memory/4388-62-0x0000000007DE0000-0x0000000007DE8000-memory.dmpFilesize
32KB
-
memory/4388-65-0x0000000075000000-0x00000000757B0000-memory.dmpFilesize
7.7MB
-
memory/4388-20-0x0000000075000000-0x00000000757B0000-memory.dmpFilesize
7.7MB
-
memory/4388-18-0x00000000059C0000-0x0000000005FE8000-memory.dmpFilesize
6.2MB
-
memory/4388-19-0x0000000075000000-0x00000000757B0000-memory.dmpFilesize
7.7MB
-
memory/4388-17-0x0000000075000000-0x00000000757B0000-memory.dmpFilesize
7.7MB