Analysis
-
max time kernel
142s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2023 15:10
Static task
static1
Behavioral task
behavioral1
Sample
Voyage Orders.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Voyage Orders.exe
Resource
win10v2004-20231215-en
General
-
Target
Voyage Orders.exe
-
Size
489KB
-
MD5
73d48d44751c6d0241ac26c1123822be
-
SHA1
d794d3df6027c438f86c3418216ff9e18f32c5b8
-
SHA256
0dd188237a562417f239ff9be662f9336ec77a0906af62c26516a8e6f767f9f5
-
SHA512
5bc2e07fa120e4392d08f5930d82e0849555522338b625ae247fde4c913528e41421b387b00a6a3741556b97bbabb45bb296fd702422da44af9ede5048d8adbe
-
SSDEEP
12288:yrpviYJS8EtOcpAT35CPA7kyig/jZnP55oM:yrpasS8qOcCCPA7kyigLN0M
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2020-12-0x0000000000350000-0x0000000000376000-memory.dmp family_snakekeylogger behavioral2/memory/2020-13-0x0000000004EE0000-0x0000000004EF0000-memory.dmp family_snakekeylogger -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 33 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Voyage Orders.exedescription pid process target process PID 4984 set thread context of 2020 4984 Voyage Orders.exe RegAsm.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3780 2020 WerFault.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegAsm.exepid process 2020 RegAsm.exe 2020 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 2020 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Voyage Orders.exedescription pid process target process PID 4984 wrote to memory of 2020 4984 Voyage Orders.exe RegAsm.exe PID 4984 wrote to memory of 2020 4984 Voyage Orders.exe RegAsm.exe PID 4984 wrote to memory of 2020 4984 Voyage Orders.exe RegAsm.exe PID 4984 wrote to memory of 2020 4984 Voyage Orders.exe RegAsm.exe PID 4984 wrote to memory of 2020 4984 Voyage Orders.exe RegAsm.exe PID 4984 wrote to memory of 2020 4984 Voyage Orders.exe RegAsm.exe PID 4984 wrote to memory of 2020 4984 Voyage Orders.exe RegAsm.exe PID 4984 wrote to memory of 2020 4984 Voyage Orders.exe RegAsm.exe -
outlook_office_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
outlook_win_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Voyage Orders.exe"C:\Users\Admin\AppData\Local\Temp\Voyage Orders.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2020 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 21523⤵
- Program crash
PID:3780
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2020 -ip 20201⤵PID:4380