Malware Analysis Report

2025-06-16 03:30

Sample ID 230505-zpk3rsge6v
Target ORDERSPEC.exe.bin
SHA256 60b06bd0dd5264f7c1b412db30e107a68c4cada78694a162d8eb707e75341811
Tags
snakekeylogger stormkitty collection keylogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

60b06bd0dd5264f7c1b412db30e107a68c4cada78694a162d8eb707e75341811

Threat Level: Known bad

The file ORDERSPEC.exe.bin was found to be: Known bad.

Malicious Activity Summary

snakekeylogger stormkitty collection keylogger spyware stealer

StormKitty

Snake Keylogger payload

Snake Keylogger

StormKitty payload

Reads user/profile data of web browsers

Checks computer location settings

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

outlook_office_path

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-05 20:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-05 20:53

Reported

2023-05-05 23:06

Platform

win7-20230220-en

Max time kernel

99s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe"

Signatures

Snake Keylogger

stealer keylogger snakekeylogger

Snake Keylogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1252 set thread context of 548 N/A C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1252 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe C:\Windows\SysWOW64\schtasks.exe
PID 1252 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe C:\Windows\SysWOW64\schtasks.exe
PID 1252 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe C:\Windows\SysWOW64\schtasks.exe
PID 1252 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe C:\Windows\SysWOW64\schtasks.exe
PID 1252 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe
PID 1252 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe
PID 1252 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe
PID 1252 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe
PID 1252 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe
PID 1252 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe
PID 1252 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe
PID 1252 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe
PID 1252 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe
PID 1252 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe
PID 1252 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe
PID 1252 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe
PID 1252 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe

"C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nyVastfXt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp99F0.tmp"

C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 181.214.31.78:587 tcp

Files

memory/1252-54-0x00000000002E0000-0x0000000000356000-memory.dmp

memory/1252-55-0x0000000004D10000-0x0000000004D50000-memory.dmp

memory/1252-56-0x0000000000600000-0x000000000060C000-memory.dmp

memory/1252-57-0x000000007EF40000-0x000000007EF50000-memory.dmp

memory/1252-58-0x0000000004D10000-0x0000000004D50000-memory.dmp

memory/1252-59-0x0000000005C60000-0x0000000005CD6000-memory.dmp

memory/1252-60-0x0000000002200000-0x0000000002226000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp99F0.tmp

MD5 dca4adc5a8786b851e48830f9f54acf3
SHA1 0a19d2a4de0feace81f997532c40ebdea2ac5d00
SHA256 e141d99d3e956fff2c6c8667ac9e97e08b6ab5f5e6accbf5e0d9a8ba753e2609
SHA512 585e77e207c969b5fef0f27d79941206dcf4563a60dd512723e3921026b30514fceadb5faa8eedbaed6f2eaf3b92a4852cd6ad08386ae3b1de9bdbc14a8c5018

memory/548-64-0x0000000000400000-0x0000000000426000-memory.dmp

memory/548-65-0x0000000000400000-0x0000000000426000-memory.dmp

memory/548-67-0x0000000000400000-0x0000000000426000-memory.dmp

memory/548-66-0x0000000000400000-0x0000000000426000-memory.dmp

memory/548-68-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/548-69-0x0000000000400000-0x0000000000426000-memory.dmp

memory/548-71-0x0000000000400000-0x0000000000426000-memory.dmp

memory/548-73-0x0000000000400000-0x0000000000426000-memory.dmp

memory/548-74-0x0000000004A20000-0x0000000004A60000-memory.dmp

memory/548-82-0x0000000004A20000-0x0000000004A60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab148D.tmp

MD5 fc4666cbca561e864e7fdf883a9e6661
SHA1 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA256 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512 c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-05 20:53

Reported

2023-05-05 23:06

Platform

win10v2004-20230220-en

Max time kernel

162s

Max time network

169s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe"

Signatures

Snake Keylogger

stealer keylogger snakekeylogger

Snake Keylogger payload

Description Indicator Process Target
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2124 set thread context of 464 N/A C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe

"C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nyVastfXt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp706D.tmp"

C:\Users\Admin\AppData\Local\Temp\ORDERSPEC.exe

"{path}"

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 209.197.3.8:80 tcp
US 13.89.178.26:443 tcp
US 117.18.237.29:80 tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 checkip.dyndns.org udp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 8.8.8.8:53 0.130.122.193.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
US 181.214.31.78:587 tcp
US 209.197.3.8:80 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp

Files

memory/2124-133-0x00000000008F0000-0x0000000000966000-memory.dmp

memory/2124-134-0x00000000052A0000-0x000000000533C000-memory.dmp

memory/2124-135-0x0000000005930000-0x0000000005ED4000-memory.dmp

memory/2124-136-0x0000000005420000-0x00000000054B2000-memory.dmp

memory/2124-137-0x00000000053D0000-0x00000000053DA000-memory.dmp

memory/2124-138-0x0000000005610000-0x0000000005666000-memory.dmp

memory/2124-139-0x0000000005280000-0x0000000005290000-memory.dmp

memory/2124-140-0x000000007FAE0000-0x000000007FAF0000-memory.dmp

memory/2124-141-0x0000000005280000-0x0000000005290000-memory.dmp

memory/2124-142-0x000000007FAE0000-0x000000007FAF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp706D.tmp

MD5 91180196ae2ba141e5d95ce805ef35e0
SHA1 00890b6d5d0c71c1fd0c843e10b78f70f500e2d8
SHA256 358f35a1f1d413c002d8c975799415dd25af2c8b2437826a2a70d08c1963c83f
SHA512 60ee604f4dde8dde661a935750206523e17b4178eb953d8bd556a404e619c70d91e6165db6c56c5621668e21ba319ea44fa45b5cc13126244dbae338d262c424

memory/464-146-0x0000000000400000-0x0000000000426000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORDERSPEC.exe.log

MD5 17573558c4e714f606f997e5157afaac
SHA1 13e16e9415ceef429aaf124139671ebeca09ed23
SHA256 c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553
SHA512 f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

memory/464-149-0x0000000005390000-0x00000000053A0000-memory.dmp

memory/464-150-0x0000000005390000-0x00000000053A0000-memory.dmp