Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 03:16
Static task
static1
Behavioral task
behavioral1
Sample
new order.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
new order.exe
Resource
win10v2004-20240226-en
General
-
Target
new order.exe
-
Size
482KB
-
MD5
01c1bc3aa16ddb58b7d0fd28a723251f
-
SHA1
782bfcfcf7f66a98c280a9a39d852f6e238a0478
-
SHA256
da6b0f4662ab7c277189dafa7f323551c54982b2d54466feefc27d83a3c90e3c
-
SHA512
ecf618c120de072bf747ad3e45dc872b3dcd2e58cdc7dbf2bb1816d5560c9ea168ce968e99b09f126a17290e5bd37b5bf5c6f61a82e5008c0723478eeff2da50
-
SSDEEP
6144:wXuAPKbOs/ASmh4okC/fLWt+MJLwVXSGN8hOCXODNlPK5HFTkXkX9I8:wXuBV/FmaorLWtzCiyNQl
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
valleycountysar.org - Port:
26 - Username:
[email protected] - Password:
fY,FLoadtsiF
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3280-9-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
new order.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 new order.exe Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 new order.exe Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 new order.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
new order.exedescription pid process target process PID 1572 set thread context of 3280 1572 new order.exe new order.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
new order.exepid process 3280 new order.exe 3280 new order.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
new order.exedescription pid process Token: SeDebugPrivilege 3280 new order.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
new order.exedescription pid process target process PID 1572 wrote to memory of 3280 1572 new order.exe new order.exe PID 1572 wrote to memory of 3280 1572 new order.exe new order.exe PID 1572 wrote to memory of 3280 1572 new order.exe new order.exe PID 1572 wrote to memory of 3280 1572 new order.exe new order.exe PID 1572 wrote to memory of 3280 1572 new order.exe new order.exe PID 1572 wrote to memory of 3280 1572 new order.exe new order.exe PID 1572 wrote to memory of 3280 1572 new order.exe new order.exe PID 1572 wrote to memory of 3280 1572 new order.exe new order.exe -
outlook_office_path 1 IoCs
Processes:
new order.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 new order.exe -
outlook_win_path 1 IoCs
Processes:
new order.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 new order.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\new order.exe"C:\Users\Admin\AppData\Local\Temp\new order.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\new order.exe"C:\Users\Admin\AppData\Local\Temp\new order.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4024 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1572-8-0x0000000004EE0000-0x0000000004EE8000-memory.dmpFilesize
32KB
-
memory/1572-6-0x0000000004E60000-0x0000000004EB4000-memory.dmpFilesize
336KB
-
memory/1572-2-0x0000000005250000-0x00000000057F4000-memory.dmpFilesize
5.6MB
-
memory/1572-3-0x0000000004CA0000-0x0000000004D32000-memory.dmpFilesize
584KB
-
memory/1572-0-0x0000000074E4E000-0x0000000074E4F000-memory.dmpFilesize
4KB
-
memory/1572-5-0x0000000004E50000-0x0000000004E5A000-memory.dmpFilesize
40KB
-
memory/1572-1-0x00000000001C0000-0x000000000023E000-memory.dmpFilesize
504KB
-
memory/1572-7-0x0000000004FC0000-0x000000000505C000-memory.dmpFilesize
624KB
-
memory/1572-4-0x0000000074E40000-0x00000000755F0000-memory.dmpFilesize
7.7MB
-
memory/1572-13-0x0000000074E40000-0x00000000755F0000-memory.dmpFilesize
7.7MB
-
memory/3280-10-0x0000000074E40000-0x00000000755F0000-memory.dmpFilesize
7.7MB
-
memory/3280-11-0x0000000074E40000-0x00000000755F0000-memory.dmpFilesize
7.7MB
-
memory/3280-9-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/3280-14-0x00000000063B0000-0x0000000006400000-memory.dmpFilesize
320KB
-
memory/3280-15-0x00000000065D0000-0x0000000006792000-memory.dmpFilesize
1.8MB
-
memory/3280-16-0x0000000074E40000-0x00000000755F0000-memory.dmpFilesize
7.7MB