Analysis
-
max time kernel
107s -
max time network
123s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
03-12-2021 14:24
Static task
static1
Behavioral task
behavioral1
Sample
PURCHASE ORDER.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
PURCHASE ORDER.exe
Resource
win10-en-20211104
General
-
Target
PURCHASE ORDER.exe
-
Size
604KB
-
MD5
a6ffb00132dd3d3bd4efd4a277b2053a
-
SHA1
691f70aee58eba1ceae835f4ea123880be1e0b04
-
SHA256
fac76dce20527e0d385d72be5f7d39319b516c6d834940ec42ca270bf8fb70b6
-
SHA512
28f15e590e8b6697add3ff5f889506716fb10b7c23ae856ccfaf766fc8d34ab7eaa6afb02f09cfe8c99c78d96c2e9735513e8b1f1adce4902d137f8012f5668e
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
admin@siemens-energy.cam - Password:
antivenom
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
PURCHASE ORDER.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PURCHASE ORDER.exe Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PURCHASE ORDER.exe Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PURCHASE ORDER.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 17 checkip.dyndns.org 21 freegeoip.app 22 freegeoip.app -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
PURCHASE ORDER.exepid process 3636 PURCHASE ORDER.exe 3636 PURCHASE ORDER.exe 3636 PURCHASE ORDER.exe 3636 PURCHASE ORDER.exe 3636 PURCHASE ORDER.exe 3636 PURCHASE ORDER.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PURCHASE ORDER.exedescription pid process target process PID 3636 set thread context of 756 3636 PURCHASE ORDER.exe PURCHASE ORDER.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4084 3636 WerFault.exe PURCHASE ORDER.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
PURCHASE ORDER.exePURCHASE ORDER.exeWerFault.exepid process 3636 PURCHASE ORDER.exe 3636 PURCHASE ORDER.exe 3636 PURCHASE ORDER.exe 756 PURCHASE ORDER.exe 4084 WerFault.exe 4084 WerFault.exe 4084 WerFault.exe 4084 WerFault.exe 4084 WerFault.exe 4084 WerFault.exe 4084 WerFault.exe 4084 WerFault.exe 4084 WerFault.exe 4084 WerFault.exe 4084 WerFault.exe 4084 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
PURCHASE ORDER.exePURCHASE ORDER.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3636 PURCHASE ORDER.exe Token: SeDebugPrivilege 756 PURCHASE ORDER.exe Token: SeRestorePrivilege 4084 WerFault.exe Token: SeBackupPrivilege 4084 WerFault.exe Token: SeDebugPrivilege 4084 WerFault.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
PURCHASE ORDER.exedescription pid process target process PID 3636 wrote to memory of 756 3636 PURCHASE ORDER.exe PURCHASE ORDER.exe PID 3636 wrote to memory of 756 3636 PURCHASE ORDER.exe PURCHASE ORDER.exe PID 3636 wrote to memory of 756 3636 PURCHASE ORDER.exe PURCHASE ORDER.exe PID 3636 wrote to memory of 756 3636 PURCHASE ORDER.exe PURCHASE ORDER.exe PID 3636 wrote to memory of 756 3636 PURCHASE ORDER.exe PURCHASE ORDER.exe PID 3636 wrote to memory of 756 3636 PURCHASE ORDER.exe PURCHASE ORDER.exe PID 3636 wrote to memory of 756 3636 PURCHASE ORDER.exe PURCHASE ORDER.exe PID 3636 wrote to memory of 756 3636 PURCHASE ORDER.exe PURCHASE ORDER.exe -
outlook_office_path 1 IoCs
Processes:
PURCHASE ORDER.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PURCHASE ORDER.exe -
outlook_win_path 1 IoCs
Processes:
PURCHASE ORDER.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PURCHASE ORDER.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 10962⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/756-125-0x000000000042054E-mapping.dmp
-
memory/756-124-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/756-130-0x0000000005290000-0x000000000578E000-memory.dmpFilesize
5.0MB
-
memory/756-131-0x0000000006720000-0x0000000006721000-memory.dmpFilesize
4KB
-
memory/756-132-0x00000000065F0000-0x00000000065F1000-memory.dmpFilesize
4KB
-
memory/756-133-0x0000000006590000-0x0000000006591000-memory.dmpFilesize
4KB
-
memory/3636-118-0x0000000000990000-0x0000000000991000-memory.dmpFilesize
4KB
-
memory/3636-120-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/3636-121-0x0000000005350000-0x0000000005351000-memory.dmpFilesize
4KB
-
memory/3636-122-0x0000000002B90000-0x0000000002BBD000-memory.dmpFilesize
180KB
-
memory/3636-123-0x0000000006AC0000-0x0000000006AC1000-memory.dmpFilesize
4KB