Analysis
-
max time kernel
142s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05/05/2023, 20:53
Static task
static1
Behavioral task
behavioral1
Sample
ORDERSCHEDULING.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ORDERSCHEDULING.exe
Resource
win10v2004-20230220-en
General
-
Target
ORDERSCHEDULING.exe
-
Size
670KB
-
MD5
8905e52e205f687eb511b330e1b5c762
-
SHA1
44edd39613def9e8384b30b13fe1511bf3c2280b
-
SHA256
26309e8127d86579dd6ae130c52298039f110548d77182833c261f0b0f43a340
-
SHA512
449b022be5d3fc5121f6f62de458950abc508240f51c1bbec1aeaa5fe82197ad6ee29d0ab3634306508f3d5d3992f9101078c774ce261c2ffa31ab5cfa5ee7f5
-
SSDEEP
12288:uZo/arWBv6pOw5w+XBlwCu0eDQ+o5v6nnjqKoe:LarWN6pOgdXBlwCzIop6nnjqKoe
Malware Config
Extracted
Protocol: smtp- Host:
mail.prestige.co.rs - Port:
587 - Username:
[email protected] - Password:
4FIHB3RQQJR8
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.prestige.co.rs - Port:
587 - Username:
[email protected] - Password:
4FIHB3RQQJR8
https://api.telegram.org/bot5723707890:AAH2xRvI7tQmHUTxHRRudv8WoyAoxdIIcOI/sendMessage?chat_id=1760125104
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
resource yara_rule behavioral2/memory/5040-137-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/5040-137-0x0000000000400000-0x0000000000426000-memory.dmp family_stormkitty -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ORDERSCHEDULING.exe Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ORDERSCHEDULING.exe Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ORDERSCHEDULING.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 23 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1628 set thread context of 5040 1628 ORDERSCHEDULING.exe 84 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5040 ORDERSCHEDULING.exe 5040 ORDERSCHEDULING.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5040 ORDERSCHEDULING.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1628 wrote to memory of 5040 1628 ORDERSCHEDULING.exe 84 PID 1628 wrote to memory of 5040 1628 ORDERSCHEDULING.exe 84 PID 1628 wrote to memory of 5040 1628 ORDERSCHEDULING.exe 84 PID 1628 wrote to memory of 5040 1628 ORDERSCHEDULING.exe 84 PID 1628 wrote to memory of 5040 1628 ORDERSCHEDULING.exe 84 PID 1628 wrote to memory of 5040 1628 ORDERSCHEDULING.exe 84 PID 1628 wrote to memory of 5040 1628 ORDERSCHEDULING.exe 84 PID 1628 wrote to memory of 5040 1628 ORDERSCHEDULING.exe 84 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ORDERSCHEDULING.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ORDERSCHEDULING.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ORDERSCHEDULING.exe"C:\Users\Admin\AppData\Local\Temp\ORDERSCHEDULING.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\ORDERSCHEDULING.exe"C:\Users\Admin\AppData\Local\Temp\ORDERSCHEDULING.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:5040
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706B
MD52ef5ef69dadb8865b3d5b58c956077b8
SHA1af2d869bac00685c745652bbd8b3fe82829a8998
SHA256363502eb2a4e53ba02d2d85412b901fcf8e06de221736bdffa949799ef3d21e3
SHA51266d4db5dd17d88e1d54ea0df3a7211a503dc4355de701259cefccc9f2e4e3ced9534b700099ffbb089a5a3acb082011c80b61801aa14aff76b379ce8f90d4fd3