Analysis
-
max time kernel
117s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
21-10-2021 18:39
Static task
static1
Behavioral task
behavioral1
Sample
Purchase order.VBS
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
Purchase order.VBS
Resource
win10-en-20210920
General
-
Target
Purchase order.VBS
-
Size
2KB
-
MD5
551fde9593f19dc3fd9cc79f7f08e4cb
-
SHA1
2a57ca45c2720dd7e08cc0e2b6ced80a782c54b3
-
SHA256
b5fe0465468c4e7db32ba8d57f8d857a03b6e0a905d91627fb76e32aed85a4e1
-
SHA512
0238490e34b40a54806fb5ccab60d241ac997209324c76aeddec7636a91f67ce9a278b636445ed33d4ebfb2042c9e5d8080438b4ed3b7ea74d49d1fddccb7b21
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
smtp.live.com - Port:
587 - Username:
deniyi334@hotmail.com - Password:
shitturilwan334
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 5 764 WScript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
nc.exenc.exepid process 1460 nc.exe 1984 nc.exe -
Loads dropped DLL 1 IoCs
Processes:
nc.exepid process 1460 nc.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
nc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 nc.exe Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 nc.exe Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 nc.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 checkip.dyndns.org 10 freegeoip.app 11 freegeoip.app -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
nc.exepid process 1460 nc.exe 1460 nc.exe 1460 nc.exe 1460 nc.exe 1460 nc.exe 1460 nc.exe 1460 nc.exe 1460 nc.exe 1460 nc.exe 1460 nc.exe 1460 nc.exe 1460 nc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
nc.exedescription pid process target process PID 1460 set thread context of 1984 1460 nc.exe nc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
nc.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8D8AB41F5BAB79A0B627F311A0FD7A2990EFDC13\Blob = 0f000000010000002000000053cd4cf7238b3b888313cfe5459beaa38bb6a15b9b814fc356a41cc913b003270300000001000000140000008d8ab41f5bab79a0b627f311a0fd7a2990efdc132000000001000000f9020000308202f5308201dda00302010202102681bce1a8940f869d0adfb45afb92c4300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3231313031343137303030305a170d3236313031333137303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100e693e0135322d696738df54109e7b4cc0211a1edeb128f70c645963f4a9d6f41be4e9c0068598f7d5868c5bea9e9a8c25627b0bcb50d02c3e45b2f9b1ffd627d7e85b7ef6454e8a7d2ddcfebc5ff67fa88873a51dcdcc59d03fb7307b124d94fdb0a2a99ca585472363e11a8ebaf87674791c39d0dbd96a28d08f2e77a0b28fe2ea6016191b2b9385e0cc3d3e7ab04a52e310519e6f735bfc8bc96a2264089dc177ce628e8448a12d636de6748fc662bf19b732d222a7edac26ae98e0f7d054a68b66923abf080c5f1db7876d62195561f8a2a32649df6ae49300058d12939f078b3f5ab9e2ab515c1c58c2f600f3e209c0efc96d8710644c0a157d3540b1bd30203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604145eec4f690e3e628fd7a196404c1820c914f4ef47300d06092a864886f70d01010b0500038201010088daaf56db4a22c10072534d9237d681b5cb08d87d60207f7d19aee1e5e4b7d77c704997c7e3b92705bf8a00fa4a15db7f653ee31dbc5b1dfe9062ab58698d5bd2fb6328dbda9992dcd2b14aecffb9838f5010a5522a8d366ade5bd320a5c5355a7f4d05338e8759858622355ffb49462f38fcaa3b21b072225becf92859819383a0fdd0813af271a186b6aa3caff681dac8dd1e6cdcf32155d74224c7d684371280fdf02189bb74ea1ccded7c6840129976c1628254bd264cd6b3ea9a45c88fa862387958723a4e5d6a7fd73f42528198f2cec956fb8c8c8c2540acd15087f496dd87582e9f61a455346120cc959a50b3710c7279983e898d1593c66001ebbe nc.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8D8AB41F5BAB79A0B627F311A0FD7A2990EFDC13\Blob = 1400000001000000140000005eec4f690e3e628fd7a196404c1820c914f4ef470300000001000000140000008d8ab41f5bab79a0b627f311a0fd7a2990efdc130f000000010000002000000053cd4cf7238b3b888313cfe5459beaa38bb6a15b9b814fc356a41cc913b003272000000001000000f9020000308202f5308201dda00302010202102681bce1a8940f869d0adfb45afb92c4300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3231313031343137303030305a170d3236313031333137303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100e693e0135322d696738df54109e7b4cc0211a1edeb128f70c645963f4a9d6f41be4e9c0068598f7d5868c5bea9e9a8c25627b0bcb50d02c3e45b2f9b1ffd627d7e85b7ef6454e8a7d2ddcfebc5ff67fa88873a51dcdcc59d03fb7307b124d94fdb0a2a99ca585472363e11a8ebaf87674791c39d0dbd96a28d08f2e77a0b28fe2ea6016191b2b9385e0cc3d3e7ab04a52e310519e6f735bfc8bc96a2264089dc177ce628e8448a12d636de6748fc662bf19b732d222a7edac26ae98e0f7d054a68b66923abf080c5f1db7876d62195561f8a2a32649df6ae49300058d12939f078b3f5ab9e2ab515c1c58c2f600f3e209c0efc96d8710644c0a157d3540b1bd30203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604145eec4f690e3e628fd7a196404c1820c914f4ef47300d06092a864886f70d01010b0500038201010088daaf56db4a22c10072534d9237d681b5cb08d87d60207f7d19aee1e5e4b7d77c704997c7e3b92705bf8a00fa4a15db7f653ee31dbc5b1dfe9062ab58698d5bd2fb6328dbda9992dcd2b14aecffb9838f5010a5522a8d366ade5bd320a5c5355a7f4d05338e8759858622355ffb49462f38fcaa3b21b072225becf92859819383a0fdd0813af271a186b6aa3caff681dac8dd1e6cdcf32155d74224c7d684371280fdf02189bb74ea1ccded7c6840129976c1628254bd264cd6b3ea9a45c88fa862387958723a4e5d6a7fd73f42528198f2cec956fb8c8c8c2540acd15087f496dd87582e9f61a455346120cc959a50b3710c7279983e898d1593c66001ebbe nc.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8D8AB41F5BAB79A0B627F311A0FD7A2990EFDC13\Blob = 1900000001000000100000001eba51f317219d3f87463e7d626617440f000000010000002000000053cd4cf7238b3b888313cfe5459beaa38bb6a15b9b814fc356a41cc913b003270300000001000000140000008d8ab41f5bab79a0b627f311a0fd7a2990efdc131400000001000000140000005eec4f690e3e628fd7a196404c1820c914f4ef472000000001000000f9020000308202f5308201dda00302010202102681bce1a8940f869d0adfb45afb92c4300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3231313031343137303030305a170d3236313031333137303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100e693e0135322d696738df54109e7b4cc0211a1edeb128f70c645963f4a9d6f41be4e9c0068598f7d5868c5bea9e9a8c25627b0bcb50d02c3e45b2f9b1ffd627d7e85b7ef6454e8a7d2ddcfebc5ff67fa88873a51dcdcc59d03fb7307b124d94fdb0a2a99ca585472363e11a8ebaf87674791c39d0dbd96a28d08f2e77a0b28fe2ea6016191b2b9385e0cc3d3e7ab04a52e310519e6f735bfc8bc96a2264089dc177ce628e8448a12d636de6748fc662bf19b732d222a7edac26ae98e0f7d054a68b66923abf080c5f1db7876d62195561f8a2a32649df6ae49300058d12939f078b3f5ab9e2ab515c1c58c2f600f3e209c0efc96d8710644c0a157d3540b1bd30203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604145eec4f690e3e628fd7a196404c1820c914f4ef47300d06092a864886f70d01010b0500038201010088daaf56db4a22c10072534d9237d681b5cb08d87d60207f7d19aee1e5e4b7d77c704997c7e3b92705bf8a00fa4a15db7f653ee31dbc5b1dfe9062ab58698d5bd2fb6328dbda9992dcd2b14aecffb9838f5010a5522a8d366ade5bd320a5c5355a7f4d05338e8759858622355ffb49462f38fcaa3b21b072225becf92859819383a0fdd0813af271a186b6aa3caff681dac8dd1e6cdcf32155d74224c7d684371280fdf02189bb74ea1ccded7c6840129976c1628254bd264cd6b3ea9a45c88fa862387958723a4e5d6a7fd73f42528198f2cec956fb8c8c8c2540acd15087f496dd87582e9f61a455346120cc959a50b3710c7279983e898d1593c66001ebbe nc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8D8AB41F5BAB79A0B627F311A0FD7A2990EFDC13 nc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
nc.exenc.exepid process 1460 nc.exe 1460 nc.exe 1460 nc.exe 1984 nc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
nc.exenc.exedescription pid process Token: SeDebugPrivilege 1460 nc.exe Token: SeDebugPrivilege 1984 nc.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
WScript.exenc.exedescription pid process target process PID 764 wrote to memory of 1460 764 WScript.exe nc.exe PID 764 wrote to memory of 1460 764 WScript.exe nc.exe PID 764 wrote to memory of 1460 764 WScript.exe nc.exe PID 764 wrote to memory of 1460 764 WScript.exe nc.exe PID 1460 wrote to memory of 1984 1460 nc.exe nc.exe PID 1460 wrote to memory of 1984 1460 nc.exe nc.exe PID 1460 wrote to memory of 1984 1460 nc.exe nc.exe PID 1460 wrote to memory of 1984 1460 nc.exe nc.exe PID 1460 wrote to memory of 1984 1460 nc.exe nc.exe PID 1460 wrote to memory of 1984 1460 nc.exe nc.exe PID 1460 wrote to memory of 1984 1460 nc.exe nc.exe PID 1460 wrote to memory of 1984 1460 nc.exe nc.exe PID 1460 wrote to memory of 1984 1460 nc.exe nc.exe -
outlook_office_path 1 IoCs
Processes:
nc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 nc.exe -
outlook_win_path 1 IoCs
Processes:
nc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 nc.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Purchase order.VBS"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nc.exe"C:\Users\Admin\AppData\Local\Temp\nc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nc.exe"C:\Users\Admin\AppData\Local\Temp\nc.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nc.exeMD5
b31b5c207c40b7f5a343125fe4f08e8a
SHA1027082190be834bfb69efcb0ac43bb8e9940facb
SHA2568b663cda7b9c7a5c80be11f639e4c6fd3b458371847d7ad5ecab085d036983ca
SHA512a999c4b31954064d70dda3ff46ca723c8a0447ebe147d5a265d7c50a0ed5b21437194bdf898d4318b11a6a11f04ce4ee324628310c12bfef0c175c2542a137aa
-
C:\Users\Admin\AppData\Local\Temp\nc.exeMD5
b31b5c207c40b7f5a343125fe4f08e8a
SHA1027082190be834bfb69efcb0ac43bb8e9940facb
SHA2568b663cda7b9c7a5c80be11f639e4c6fd3b458371847d7ad5ecab085d036983ca
SHA512a999c4b31954064d70dda3ff46ca723c8a0447ebe147d5a265d7c50a0ed5b21437194bdf898d4318b11a6a11f04ce4ee324628310c12bfef0c175c2542a137aa
-
C:\Users\Admin\AppData\Local\Temp\nc.exeMD5
b31b5c207c40b7f5a343125fe4f08e8a
SHA1027082190be834bfb69efcb0ac43bb8e9940facb
SHA2568b663cda7b9c7a5c80be11f639e4c6fd3b458371847d7ad5ecab085d036983ca
SHA512a999c4b31954064d70dda3ff46ca723c8a0447ebe147d5a265d7c50a0ed5b21437194bdf898d4318b11a6a11f04ce4ee324628310c12bfef0c175c2542a137aa
-
\Users\Admin\AppData\Local\Temp\nc.exeMD5
b31b5c207c40b7f5a343125fe4f08e8a
SHA1027082190be834bfb69efcb0ac43bb8e9940facb
SHA2568b663cda7b9c7a5c80be11f639e4c6fd3b458371847d7ad5ecab085d036983ca
SHA512a999c4b31954064d70dda3ff46ca723c8a0447ebe147d5a265d7c50a0ed5b21437194bdf898d4318b11a6a11f04ce4ee324628310c12bfef0c175c2542a137aa
-
memory/1460-109-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1460-125-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1460-62-0x0000000000CB0000-0x0000000000CB1000-memory.dmpFilesize
4KB
-
memory/1460-94-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1460-60-0x0000000075D41000-0x0000000075D43000-memory.dmpFilesize
8KB
-
memory/1460-90-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1460-124-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1460-123-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1460-122-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1460-120-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1460-118-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1460-73-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1460-58-0x0000000001220000-0x0000000001221000-memory.dmpFilesize
4KB
-
memory/1460-117-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1460-80-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1460-77-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1460-81-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1460-95-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1460-85-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1460-87-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1460-88-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1460-92-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1460-64-0x0000000000A90000-0x0000000000AC6000-memory.dmpFilesize
216KB
-
memory/1460-61-0x00000000048D0000-0x00000000048D1000-memory.dmpFilesize
4KB
-
memory/1460-83-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1460-97-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1460-99-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1460-101-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1460-104-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1460-103-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1460-106-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1460-108-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1460-55-0x0000000000000000-mapping.dmp
-
memory/1460-110-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1460-111-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1460-113-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1460-115-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1984-76-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1984-71-0x00000000004203EE-mapping.dmp
-
memory/1984-69-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1984-70-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1984-68-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1984-67-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1984-66-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1984-203-0x00000000049E0000-0x00000000049E1000-memory.dmpFilesize
4KB