Analysis
-
max time kernel
143s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2023 06:14
Static task
static1
Behavioral task
behavioral1
Sample
New order#2_W43.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
New order#2_W43.exe
Resource
win10v2004-20230220-en
General
-
Target
New order#2_W43.exe
-
Size
283KB
-
MD5
6e039c88706de216f5868b3a5a6907c8
-
SHA1
059c31716cd028e75825d2424690ae23d16609db
-
SHA256
9901b6b09b65e36a881dcebc20d5dffa8e70f1258fefa766566f3e17614d7f08
-
SHA512
040ef1dbc56a57d0e68255207f3370f355d242f5c364039b08d3c2615227a7b6a2479e9d8f88461acadd1be9bc2e67160bbcdaa57a02922d6428d14aba9cfe06
-
SSDEEP
6144:PYa6OoOx/cjH90btFuGj484hGnyNE8sEz5/3P:PYw/hcjd0JcHnhGYow5X
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4732-141-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral2/memory/4732-143-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral2/memory/4732-144-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral2/memory/4732-149-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger -
Executes dropped EXE 2 IoCs
Processes:
etpujifhk.exeetpujifhk.exepid process 4912 etpujifhk.exe 4732 etpujifhk.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
etpujifhk.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 etpujifhk.exe Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 etpujifhk.exe Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 etpujifhk.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
etpujifhk.exedescription pid process target process PID 4912 set thread context of 4732 4912 etpujifhk.exe etpujifhk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
etpujifhk.exepid process 4732 etpujifhk.exe 4732 etpujifhk.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
etpujifhk.exepid process 4912 etpujifhk.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
etpujifhk.exedescription pid process Token: SeDebugPrivilege 4732 etpujifhk.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
New order#2_W43.exeetpujifhk.exedescription pid process target process PID 5076 wrote to memory of 4912 5076 New order#2_W43.exe etpujifhk.exe PID 5076 wrote to memory of 4912 5076 New order#2_W43.exe etpujifhk.exe PID 5076 wrote to memory of 4912 5076 New order#2_W43.exe etpujifhk.exe PID 4912 wrote to memory of 4732 4912 etpujifhk.exe etpujifhk.exe PID 4912 wrote to memory of 4732 4912 etpujifhk.exe etpujifhk.exe PID 4912 wrote to memory of 4732 4912 etpujifhk.exe etpujifhk.exe PID 4912 wrote to memory of 4732 4912 etpujifhk.exe etpujifhk.exe -
outlook_office_path 1 IoCs
Processes:
etpujifhk.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 etpujifhk.exe -
outlook_win_path 1 IoCs
Processes:
etpujifhk.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 etpujifhk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New order#2_W43.exe"C:\Users\Admin\AppData\Local\Temp\New order#2_W43.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\etpujifhk.exe"C:\Users\Admin\AppData\Local\Temp\etpujifhk.exe" C:\Users\Admin\AppData\Local\Temp\bhtvqfm.dh2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\etpujifhk.exe"C:\Users\Admin\AppData\Local\Temp\etpujifhk.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bhtvqfm.dhFilesize
5KB
MD5a76713e62a44962a44f9f3592966389e
SHA19f2065531ba6e597879658bafe1a862ef6836600
SHA2565a7636e7f4127d968665591290b937529a88ce610a862a1d304b58fda1ef8e43
SHA512023dbdad19a1682a6eac3120d8fc201ed8e1a3fc4a9c2046eb617dc146564567e908b7de6473c78c30bc1a3d01e927cafdee25bf2ad301e41809cf3e7720622c
-
C:\Users\Admin\AppData\Local\Temp\etpujifhk.exeFilesize
138KB
MD53f5f31ed34c36492955c38f3bbaca512
SHA16e70ae1d2b245250c110c9b39852759113d263b5
SHA256d387cec4f9e97606c787e2d071d22f94ee604d1a8229b7244364f782ed1c1c37
SHA512d135dc30488279b6246cf95e039355f66bc71ab8a990781b53b8ec850a9055b45eb0976024064ee73e6e08efee2c4f78f37da8f5085a6a35f7bab32c38e1de8d
-
C:\Users\Admin\AppData\Local\Temp\etpujifhk.exeFilesize
138KB
MD53f5f31ed34c36492955c38f3bbaca512
SHA16e70ae1d2b245250c110c9b39852759113d263b5
SHA256d387cec4f9e97606c787e2d071d22f94ee604d1a8229b7244364f782ed1c1c37
SHA512d135dc30488279b6246cf95e039355f66bc71ab8a990781b53b8ec850a9055b45eb0976024064ee73e6e08efee2c4f78f37da8f5085a6a35f7bab32c38e1de8d
-
C:\Users\Admin\AppData\Local\Temp\etpujifhk.exeFilesize
138KB
MD53f5f31ed34c36492955c38f3bbaca512
SHA16e70ae1d2b245250c110c9b39852759113d263b5
SHA256d387cec4f9e97606c787e2d071d22f94ee604d1a8229b7244364f782ed1c1c37
SHA512d135dc30488279b6246cf95e039355f66bc71ab8a990781b53b8ec850a9055b45eb0976024064ee73e6e08efee2c4f78f37da8f5085a6a35f7bab32c38e1de8d
-
C:\Users\Admin\AppData\Local\Temp\tudykootswg.gfxFilesize
225KB
MD51c4aaf2ed0d55ad70d4a4072b9473843
SHA1fcbbf98d57c7a55ae80320f8377bead9a54c284d
SHA2560a2ee718a9bd8fdff7b10baf4ac0b3dc269b93da840f3fb0e037e34aacfb717f
SHA512d6dbf2806f90fd43bb30193c0988c81ba4ff298ba653a3072a6270d24626db9f4ba3159d8c0676f1008bc8a49885c856ccbddafeb083627f9456bf15800c0037
-
memory/4732-148-0x0000000004AD0000-0x0000000004AE0000-memory.dmpFilesize
64KB
-
memory/4732-152-0x0000000004AD0000-0x0000000004AE0000-memory.dmpFilesize
64KB
-
memory/4732-144-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/4732-146-0x0000000004AE0000-0x0000000005084000-memory.dmpFilesize
5.6MB
-
memory/4732-147-0x0000000004980000-0x0000000004A1C000-memory.dmpFilesize
624KB
-
memory/4732-141-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/4732-149-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/4732-150-0x0000000004AD0000-0x0000000004AE0000-memory.dmpFilesize
64KB
-
memory/4732-151-0x0000000004AD0000-0x0000000004AE0000-memory.dmpFilesize
64KB
-
memory/4732-143-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/4732-153-0x0000000005C90000-0x0000000005E52000-memory.dmpFilesize
1.8MB
-
memory/4732-154-0x0000000005E60000-0x0000000005EF2000-memory.dmpFilesize
584KB
-
memory/4732-155-0x0000000005F70000-0x0000000005F7A000-memory.dmpFilesize
40KB
-
memory/4732-157-0x0000000004AD0000-0x0000000004AE0000-memory.dmpFilesize
64KB
-
memory/4732-158-0x0000000004AD0000-0x0000000004AE0000-memory.dmpFilesize
64KB
-
memory/4732-159-0x0000000004AD0000-0x0000000004AE0000-memory.dmpFilesize
64KB
-
memory/4732-160-0x0000000004AD0000-0x0000000004AE0000-memory.dmpFilesize
64KB