snakekeylogger | af39fbe823fae738dd65381453b2b5caf1e3bac99e55fa3e2c7607453a9ab82c

General

Target

New order RI326-10-2022_final_order.exe
Size

558KB
MD5

e62922b803afddf517121cea2aa4593e
SHA1

c1a212d120c9853656cf9eac6f851da4b358bed5
SHA256

af39fbe823fae738dd65381453b2b5caf1e3bac99e55fa3e2c7607453a9ab82c
SHA512

4a6d7f10a16d12386a7df87dd9426e16bf90f50afc0900bea2e5a6ad68eb6ddbaec726bb333d4372ebca43d45a60576daabb5824c9056f00b705d40a571d0c41
SSDEEP

12288:iBTUAKex4Vfd2NGflmA44b2xlnWKcTZlLg6A9BDYOKxdJ:mYh2oG4jTPo9BDYN

Score

10^/10

snakekeylogger collection keylogger persistence spyware stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

New order RI326-10-2022_final_order.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\77yGX8E8PRcXUIqu\\ilbe5gLKUPCl.exe\",explorer.exe"	New order RI326-10-2022_final_order.exe

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2224-138-0x0000000000400000-0x0000000000452000-memory.dmp	family_snakekeylogger

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

New order RI326-10-2022_final_order.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	New order RI326-10-2022_final_order.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

New order RI326-10-2022_final_order.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	New order RI326-10-2022_final_order.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	New order RI326-10-2022_final_order.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	New order RI326-10-2022_final_order.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 checkip.dyndns.org

flow	ioc
17	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

New order RI326-10-2022_final_order.exe

description	pid	process	target process
PID 4772 set thread context of 2224	4772	New order RI326-10-2022_final_order.exe	New order RI326-10-2022_final_order.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

New order RI326-10-2022_final_order.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	New order RI326-10-2022_final_order.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

New order RI326-10-2022_final_order.exeNew order RI326-10-2022_final_order.exeAcroRd32.exe

pid	process
4772	New order RI326-10-2022_final_order.exe
4772	New order RI326-10-2022_final_order.exe
2224	New order RI326-10-2022_final_order.exe
2224	New order RI326-10-2022_final_order.exe
2876	AcroRd32.exe
2876	AcroRd32.exe
2876	AcroRd32.exe
2876	AcroRd32.exe
2876	AcroRd32.exe
2876	AcroRd32.exe
2876	AcroRd32.exe
2876	AcroRd32.exe
2876	AcroRd32.exe
2876	AcroRd32.exe
2876	AcroRd32.exe
2876	AcroRd32.exe
2876	AcroRd32.exe
2876	AcroRd32.exe
2876	AcroRd32.exe
2876	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

New order RI326-10-2022_final_order.exeNew order RI326-10-2022_final_order.exe

description	pid	process
Token: SeDebugPrivilege	4772	New order RI326-10-2022_final_order.exe
Token: SeDebugPrivilege	4772	New order RI326-10-2022_final_order.exe
Token: SeDebugPrivilege	2224	New order RI326-10-2022_final_order.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

2876 AcroRd32.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AcroRd32.exe

pid process

2876 AcroRd32.exe
2876 AcroRd32.exe
2876 AcroRd32.exe
2876 AcroRd32.exe
2876 AcroRd32.exe
2876 AcroRd32.exe

pid	process
2876	AcroRd32.exe

pid	process
2876	AcroRd32.exe
2876	AcroRd32.exe
2876	AcroRd32.exe
2876	AcroRd32.exe
2876	AcroRd32.exe
2876	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

New order RI326-10-2022_final_order.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4772 wrote to memory of 2876	4772	New order RI326-10-2022_final_order.exe	AcroRd32.exe
PID 4772 wrote to memory of 2876	4772	New order RI326-10-2022_final_order.exe	AcroRd32.exe
PID 4772 wrote to memory of 2876	4772	New order RI326-10-2022_final_order.exe	AcroRd32.exe
PID 4772 wrote to memory of 2224	4772	New order RI326-10-2022_final_order.exe	New order RI326-10-2022_final_order.exe
PID 4772 wrote to memory of 2224	4772	New order RI326-10-2022_final_order.exe	New order RI326-10-2022_final_order.exe
PID 4772 wrote to memory of 2224	4772	New order RI326-10-2022_final_order.exe	New order RI326-10-2022_final_order.exe
PID 4772 wrote to memory of 2224	4772	New order RI326-10-2022_final_order.exe	New order RI326-10-2022_final_order.exe
PID 4772 wrote to memory of 2224	4772	New order RI326-10-2022_final_order.exe	New order RI326-10-2022_final_order.exe
PID 4772 wrote to memory of 2224	4772	New order RI326-10-2022_final_order.exe	New order RI326-10-2022_final_order.exe
PID 4772 wrote to memory of 2224	4772	New order RI326-10-2022_final_order.exe	New order RI326-10-2022_final_order.exe
PID 4772 wrote to memory of 2224	4772	New order RI326-10-2022_final_order.exe	New order RI326-10-2022_final_order.exe
PID 2876 wrote to memory of 4288	2876	AcroRd32.exe	RdrCEF.exe
PID 2876 wrote to memory of 4288	2876	AcroRd32.exe	RdrCEF.exe
PID 2876 wrote to memory of 4288	2876	AcroRd32.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 3724	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 4936	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 4936	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 4936	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 4936	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 4936	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 4936	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 4936	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 4936	4288	RdrCEF.exe	RdrCEF.exe
PID 4288 wrote to memory of 4936	4288	RdrCEF.exe	RdrCEF.exe

outlook_office_path 1 IoCs

Processes:

New order RI326-10-2022_final_order.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	New order RI326-10-2022_final_order.exe

outlook_win_path 1 IoCs

Processes:

New order RI326-10-2022_final_order.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	New order RI326-10-2022_final_order.exe

C:\Users\Admin\AppData\Local\Temp\New order RI326-10-2022_final_order.exe
"C:\Users\Admin\AppData\Local\Temp\New order RI326-10-2022_final_order.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4772

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\4Tm3JfVMTJyGMZA6.pdf"
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2876

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
- Suspicious use of WriteProcessMemory
PID:4288

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0DA93ACEBD5C6A84176203374AE865BB --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:3724

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=51149D0A44BFEFEE7CC863975474017E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=51149D0A44BFEFEE7CC863975474017E --renderer-client-id=2 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job /prefetch:1
4⤵
PID:4936

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0CFAA034DB04407002AE8E0120E9AAC8 --mojo-platform-channel-handle=2328 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:3128

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4BA881B4D5E8E130EA04500E5AC7FD5C --mojo-platform-channel-handle=2432 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:3248

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D96552724897DD63A2446BA018927806 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D96552724897DD63A2446BA018927806 --renderer-client-id=6 --mojo-platform-channel-handle=2440 --allow-no-sandbox-job /prefetch:1
4⤵
PID:832

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DB1F22323FEA53086BB5BD86737BCDC6 --mojo-platform-channel-handle=2344 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:1856

C:\Users\Admin\AppData\Local\Temp\New order RI326-10-2022_final_order.exe
"C:\Users\Admin\AppData\Local\Temp\New order RI326-10-2022_final_order.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4Tm3JfVMTJyGMZA6.pdf

Filesize
55KB

MD5
741541379bb83db584f30c7dcfb67c82

SHA1
7a57f25178eee879ac743f874ed016d6e9680213

SHA256
a1270d13c0eed237a6a4818e60dfcd83e0f382b1f4689af917991693b865fbe7

SHA512
370fdacc7cf1232394c2561821b079c13dcbfd24fb2eccbd4c7b85894412d5acb35bdf2af6424f1f5c570fdbb3e408baf137f30e50b89f375d8c86d29873e6af

Download Submit
memory/832-157-0x0000000000000000-mapping.dmp

Download
memory/1856-162-0x0000000000000000-mapping.dmp

Download
memory/2224-139-0x0000000004E60000-0x0000000004EFC000-memory.dmp

Filesize
624KB

Download
memory/2224-164-0x00000000062A0000-0x0000000006462000-memory.dmp

Filesize
1.8MB

Download
memory/2224-137-0x0000000000000000-mapping.dmp

Download
memory/2224-138-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2876-136-0x0000000000000000-mapping.dmp

Download
memory/3128-151-0x0000000000000000-mapping.dmp

Download
memory/3248-154-0x0000000000000000-mapping.dmp

Download
memory/3724-143-0x0000000000000000-mapping.dmp

Download
memory/4288-141-0x0000000000000000-mapping.dmp

Download
memory/4772-132-0x0000000000C50000-0x0000000000CE2000-memory.dmp

Filesize
584KB

Download
memory/4772-135-0x0000000005690000-0x000000000569A000-memory.dmp

Filesize
40KB

Download
memory/4772-134-0x0000000005730000-0x00000000057C2000-memory.dmp

Filesize
584KB

Download
memory/4772-133-0x0000000005CE0000-0x0000000006284000-memory.dmp

Filesize
5.6MB

Download
memory/4936-146-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads