Analysis
-
max time kernel
99s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05/05/2023, 20:53
Static task
static1
Behavioral task
behavioral1
Sample
ORDERSPEC.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ORDERSPEC.exe
Resource
win10v2004-20230220-en
General
-
Target
ORDERSPEC.exe
-
Size
450KB
-
MD5
23d7b4e9cd3e1842f35072cca46c708a
-
SHA1
799961dfabbba4d497ae7301d1be662fd7c25a7e
-
SHA256
60b06bd0dd5264f7c1b412db30e107a68c4cada78694a162d8eb707e75341811
-
SHA512
a2f7aee285024cf838db0131bf51de344ffa18fe3229a2eb0fb0756a039a50129fd8441844c3351d45ef184e46a794964df2dcb3724ef2a060112c6ff9a1b00e
-
SSDEEP
6144:5vfzODVSkuc7dxJ0xGtKfxKKjDrZ37mJZg/YmZJbDHZ5cNeUW7+7N:5KDVkEyxrxKKjDNC/g/YQFdni
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
181.214.31.78 - Port:
587 - Username:
[email protected] - Password:
jollyaya143
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 6 IoCs
resource yara_rule behavioral1/memory/548-67-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/548-66-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/548-69-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/548-71-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/548-73-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/548-82-0x0000000004A20000-0x0000000004A60000-memory.dmp family_snakekeylogger -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 5 IoCs
resource yara_rule behavioral1/memory/548-67-0x0000000000400000-0x0000000000426000-memory.dmp family_stormkitty behavioral1/memory/548-66-0x0000000000400000-0x0000000000426000-memory.dmp family_stormkitty behavioral1/memory/548-69-0x0000000000400000-0x0000000000426000-memory.dmp family_stormkitty behavioral1/memory/548-71-0x0000000000400000-0x0000000000426000-memory.dmp family_stormkitty behavioral1/memory/548-73-0x0000000000400000-0x0000000000426000-memory.dmp family_stormkitty -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ORDERSPEC.exe Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ORDERSPEC.exe Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ORDERSPEC.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1252 set thread context of 548 1252 ORDERSPEC.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1036 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1252 ORDERSPEC.exe 548 ORDERSPEC.exe 548 ORDERSPEC.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1252 ORDERSPEC.exe Token: SeDebugPrivilege 548 ORDERSPEC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 548 ORDERSPEC.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1252 wrote to memory of 1036 1252 ORDERSPEC.exe 28 PID 1252 wrote to memory of 1036 1252 ORDERSPEC.exe 28 PID 1252 wrote to memory of 1036 1252 ORDERSPEC.exe 28 PID 1252 wrote to memory of 1036 1252 ORDERSPEC.exe 28 PID 1252 wrote to memory of 568 1252 ORDERSPEC.exe 30 PID 1252 wrote to memory of 568 1252 ORDERSPEC.exe 30 PID 1252 wrote to memory of 568 1252 ORDERSPEC.exe 30 PID 1252 wrote to memory of 568 1252 ORDERSPEC.exe 30 PID 1252 wrote to memory of 548 1252 ORDERSPEC.exe 31 PID 1252 wrote to memory of 548 1252 ORDERSPEC.exe 31 PID 1252 wrote to memory of 548 1252 ORDERSPEC.exe 31 PID 1252 wrote to memory of 548 1252 ORDERSPEC.exe 31 PID 1252 wrote to memory of 548 1252 ORDERSPEC.exe 31 PID 1252 wrote to memory of 548 1252 ORDERSPEC.exe 31 PID 1252 wrote to memory of 548 1252 ORDERSPEC.exe 31 PID 1252 wrote to memory of 548 1252 ORDERSPEC.exe 31 PID 1252 wrote to memory of 548 1252 ORDERSPEC.exe 31 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ORDERSPEC.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ORDERSPEC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe"C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nyVastfXt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp99F0.tmp"2⤵
- Creates scheduled task(s)
PID:1036
-
-
C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe"{path}"2⤵PID:568
-
-
C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:548
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
Filesize
1KB
MD5dca4adc5a8786b851e48830f9f54acf3
SHA10a19d2a4de0feace81f997532c40ebdea2ac5d00
SHA256e141d99d3e956fff2c6c8667ac9e97e08b6ab5f5e6accbf5e0d9a8ba753e2609
SHA512585e77e207c969b5fef0f27d79941206dcf4563a60dd512723e3921026b30514fceadb5faa8eedbaed6f2eaf3b92a4852cd6ad08386ae3b1de9bdbc14a8c5018