Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231130-en -
resource tags
arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 08:18
Static task
static1
Behavioral task
behavioral1
Sample
IV2312-001 ORDER.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
IV2312-001 ORDER.exe
Resource
win10v2004-20231130-en
General
-
Target
IV2312-001 ORDER.exe
-
Size
792KB
-
MD5
bc79982caee7c5098059a43222a7f0cf
-
SHA1
2657aa5f642e8c261f457c9e1684c5b37b7dc6a1
-
SHA256
8c9a4a7a2805ac96e157dc3681cc0a382f27878a3835ff4db8070b72d75062a5
-
SHA512
396e633a36e6693aecd0ea99d194acf6854dc7a96a9661ca6c201b88d464b6a4da652c34822e0f7cb43e6255d776841aa7386cdfc154fdc41bf08e4995eaafec
-
SSDEEP
12288:72BKE6jD/62iNG5nF88+ziZqkuesCpt/BEGftxcmdA5CAsNb1A3cM:7EKtD/61IqeGVCphBpl7Am1Ax
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2468-30-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2468-34-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2468-38-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2468-42-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2468-40-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2468-49-0x0000000004C30000-0x0000000004C70000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
IV2312-001 ORDER.exedescription pid process target process PID 1864 set thread context of 2468 1864 IV2312-001 ORDER.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1264 2468 WerFault.exe RegSvcs.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
IV2312-001 ORDER.exepowershell.exepowershell.exeRegSvcs.exepid process 1864 IV2312-001 ORDER.exe 1216 powershell.exe 2104 powershell.exe 1864 IV2312-001 ORDER.exe 1864 IV2312-001 ORDER.exe 1864 IV2312-001 ORDER.exe 2468 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
IV2312-001 ORDER.exepowershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1864 IV2312-001 ORDER.exe Token: SeDebugPrivilege 1216 powershell.exe Token: SeDebugPrivilege 2104 powershell.exe Token: SeDebugPrivilege 2468 RegSvcs.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
IV2312-001 ORDER.exeRegSvcs.exedescription pid process target process PID 1864 wrote to memory of 2104 1864 IV2312-001 ORDER.exe powershell.exe PID 1864 wrote to memory of 2104 1864 IV2312-001 ORDER.exe powershell.exe PID 1864 wrote to memory of 2104 1864 IV2312-001 ORDER.exe powershell.exe PID 1864 wrote to memory of 2104 1864 IV2312-001 ORDER.exe powershell.exe PID 1864 wrote to memory of 1216 1864 IV2312-001 ORDER.exe powershell.exe PID 1864 wrote to memory of 1216 1864 IV2312-001 ORDER.exe powershell.exe PID 1864 wrote to memory of 1216 1864 IV2312-001 ORDER.exe powershell.exe PID 1864 wrote to memory of 1216 1864 IV2312-001 ORDER.exe powershell.exe PID 1864 wrote to memory of 2736 1864 IV2312-001 ORDER.exe schtasks.exe PID 1864 wrote to memory of 2736 1864 IV2312-001 ORDER.exe schtasks.exe PID 1864 wrote to memory of 2736 1864 IV2312-001 ORDER.exe schtasks.exe PID 1864 wrote to memory of 2736 1864 IV2312-001 ORDER.exe schtasks.exe PID 1864 wrote to memory of 2708 1864 IV2312-001 ORDER.exe RegSvcs.exe PID 1864 wrote to memory of 2708 1864 IV2312-001 ORDER.exe RegSvcs.exe PID 1864 wrote to memory of 2708 1864 IV2312-001 ORDER.exe RegSvcs.exe PID 1864 wrote to memory of 2708 1864 IV2312-001 ORDER.exe RegSvcs.exe PID 1864 wrote to memory of 2708 1864 IV2312-001 ORDER.exe RegSvcs.exe PID 1864 wrote to memory of 2708 1864 IV2312-001 ORDER.exe RegSvcs.exe PID 1864 wrote to memory of 2708 1864 IV2312-001 ORDER.exe RegSvcs.exe PID 1864 wrote to memory of 2468 1864 IV2312-001 ORDER.exe RegSvcs.exe PID 1864 wrote to memory of 2468 1864 IV2312-001 ORDER.exe RegSvcs.exe PID 1864 wrote to memory of 2468 1864 IV2312-001 ORDER.exe RegSvcs.exe PID 1864 wrote to memory of 2468 1864 IV2312-001 ORDER.exe RegSvcs.exe PID 1864 wrote to memory of 2468 1864 IV2312-001 ORDER.exe RegSvcs.exe PID 1864 wrote to memory of 2468 1864 IV2312-001 ORDER.exe RegSvcs.exe PID 1864 wrote to memory of 2468 1864 IV2312-001 ORDER.exe RegSvcs.exe PID 1864 wrote to memory of 2468 1864 IV2312-001 ORDER.exe RegSvcs.exe PID 1864 wrote to memory of 2468 1864 IV2312-001 ORDER.exe RegSvcs.exe PID 1864 wrote to memory of 2468 1864 IV2312-001 ORDER.exe RegSvcs.exe PID 1864 wrote to memory of 2468 1864 IV2312-001 ORDER.exe RegSvcs.exe PID 1864 wrote to memory of 2468 1864 IV2312-001 ORDER.exe RegSvcs.exe PID 2468 wrote to memory of 1264 2468 RegSvcs.exe WerFault.exe PID 2468 wrote to memory of 1264 2468 RegSvcs.exe WerFault.exe PID 2468 wrote to memory of 1264 2468 RegSvcs.exe WerFault.exe PID 2468 wrote to memory of 1264 2468 RegSvcs.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\IV2312-001 ORDER.exe"C:\Users\Admin\AppData\Local\Temp\IV2312-001 ORDER.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IV2312-001 ORDER.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SlYimHChjIe.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1216 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SlYimHChjIe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp57C1.tmp"2⤵
- Creates scheduled task(s)
PID:2736 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:2708
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 9363⤵
- Program crash
PID:1264
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c9e239f58a53a11f51ccf66aa44c5d6d
SHA1d3e2c676dfb14658ee15995bfb73fa1e61721c48
SHA256ec1965161d6a54f58c1dd92b4d612dac8c55edaa32c819ef358f81f4a450ba09
SHA5120640497e310c0e366a96e4d815b0f9333ee4042f45c3fbd06cf51c341075672012e6ab4afeb073dfb891113c569aace0fbbfe4604d280b6ff150cc74a5fa4072
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L8RFNEBKXFBG925TTP4D.temp
Filesize7KB
MD59129e43494931af8479ce0b5db6378af
SHA189f7cef66765a3abafe14e4452dc53ff4fb5fd19
SHA256548385bdfd0d734c4bc06ef92e958d5018881ef0c5ab19e0d55f24ba88dc8bb8
SHA512b93fd3dfd1ee4d845240b0680b2ecc0eaebf903660da2ac2a881ff3e3a47785cec45b82e32bf415ac4e6563b77079ce4208c4d71136019e67b2baf69d849f6aa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD59129e43494931af8479ce0b5db6378af
SHA189f7cef66765a3abafe14e4452dc53ff4fb5fd19
SHA256548385bdfd0d734c4bc06ef92e958d5018881ef0c5ab19e0d55f24ba88dc8bb8
SHA512b93fd3dfd1ee4d845240b0680b2ecc0eaebf903660da2ac2a881ff3e3a47785cec45b82e32bf415ac4e6563b77079ce4208c4d71136019e67b2baf69d849f6aa