Analysis
-
max time kernel
70s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
05-07-2022 12:02
Static task
static1
Behavioral task
behavioral1
Sample
New Order_Hwqa0192883.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
New Order_Hwqa0192883.exe
Resource
win10v2004-20220414-en
General
-
Target
New Order_Hwqa0192883.exe
-
Size
1.5MB
-
MD5
6a50ea3a64109270c92820c61f9194ad
-
SHA1
8ff6b22a126c0c5014585d3c6baf45cbff9c567d
-
SHA256
8bf3a6d4281caa9520340d186e314cd64b8986de1dfa306c9d256ffa0f4c06ab
-
SHA512
1112af1c999fa5b950d988d62fd389dcfa4c08393be66a78cbf128b7ba282b203633d7ae1007c8cd093716cb94936b0f2fe54e53ed90e629fced2f0fcb8214a2
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.putlock.co.uk - Port:
587 - Username:
garry@putlock.co.uk - Password:
Puttflue94 - Email To:
jantonio.crystal.cfi@gmail.com
https://api.telegram.org/bot5502458727:AAFTUrq_Mr-3cF-XZNdwaOsYHT_Ur2vcW3E/sendMessage?chat_id=1530075292
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/684-137-0x0000000000400000-0x000000000047C000-memory.dmp family_snakekeylogger -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
New Order_Hwqa0192883.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New Order_Hwqa0192883.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New Order_Hwqa0192883.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New Order_Hwqa0192883.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
New Order_Hwqa0192883.exedescription pid process target process PID 1124 set thread context of 684 1124 New Order_Hwqa0192883.exe New Order_Hwqa0192883.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
New Order_Hwqa0192883.exepid process 684 New Order_Hwqa0192883.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
New Order_Hwqa0192883.exedescription pid process Token: SeDebugPrivilege 684 New Order_Hwqa0192883.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
New Order_Hwqa0192883.exedescription pid process target process PID 1124 wrote to memory of 684 1124 New Order_Hwqa0192883.exe New Order_Hwqa0192883.exe PID 1124 wrote to memory of 684 1124 New Order_Hwqa0192883.exe New Order_Hwqa0192883.exe PID 1124 wrote to memory of 684 1124 New Order_Hwqa0192883.exe New Order_Hwqa0192883.exe PID 1124 wrote to memory of 684 1124 New Order_Hwqa0192883.exe New Order_Hwqa0192883.exe PID 1124 wrote to memory of 684 1124 New Order_Hwqa0192883.exe New Order_Hwqa0192883.exe PID 1124 wrote to memory of 684 1124 New Order_Hwqa0192883.exe New Order_Hwqa0192883.exe PID 1124 wrote to memory of 684 1124 New Order_Hwqa0192883.exe New Order_Hwqa0192883.exe PID 1124 wrote to memory of 684 1124 New Order_Hwqa0192883.exe New Order_Hwqa0192883.exe -
outlook_office_path 1 IoCs
Processes:
New Order_Hwqa0192883.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New Order_Hwqa0192883.exe -
outlook_win_path 1 IoCs
Processes:
New Order_Hwqa0192883.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New Order_Hwqa0192883.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Order_Hwqa0192883.exe"C:\Users\Admin\AppData\Local\Temp\New Order_Hwqa0192883.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\New Order_Hwqa0192883.exe"C:\Users\Admin\AppData\Local\Temp\New Order_Hwqa0192883.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New Order_Hwqa0192883.exe.logFilesize
886B
MD53a82042a53c77ee2037f6d3901a99695
SHA113c5e178e1443e3a2b6ff4ec762445cde6c8a8f8
SHA256fdfc0bee6468f8bcbb7393bbf5c1f7031b03e801e4f25307f804fdbecd982188
SHA512f2f0b04a3eedb134f1d1acb3f11c146552017e66f03b869339278f475ce4fb5432dcc1d0bbaffcf215ca0fc40f9b3c86e6a4108be4529542017611c6edc5fed5
-
memory/684-136-0x0000000000000000-mapping.dmp
-
memory/684-137-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/684-139-0x0000000006390000-0x000000000639A000-memory.dmpFilesize
40KB
-
memory/1124-130-0x0000000000D80000-0x0000000000F04000-memory.dmpFilesize
1.5MB
-
memory/1124-131-0x0000000005860000-0x00000000058D6000-memory.dmpFilesize
472KB
-
memory/1124-132-0x0000000005900000-0x000000000591E000-memory.dmpFilesize
120KB
-
memory/1124-133-0x00000000060C0000-0x0000000006664000-memory.dmpFilesize
5.6MB
-
memory/1124-134-0x0000000005BD0000-0x0000000005C62000-memory.dmpFilesize
584KB
-
memory/1124-135-0x0000000005D10000-0x0000000005DAC000-memory.dmpFilesize
624KB