Analysis
-
max time kernel
19s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-12-2023 05:27
Static task
static1
Behavioral task
behavioral1
Sample
Order Inquiry.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Order Inquiry.exe
Resource
win10v2004-20231215-en
General
-
Target
Order Inquiry.exe
-
Size
772KB
-
MD5
cc5eb59cb99d6c5ff4f8dbb39c3ac85a
-
SHA1
db3637757ec6398f74911598b78fb67779cfa881
-
SHA256
a7861637b7c5aca5ec97ec9b14ff793aa6e227f0c7af740350d9134225bd3c2c
-
SHA512
3e9b508b5bc593df4b1ac2151d4142905f260336342579d3fe1eda96390b8752b863557a2dd4d0ab0f918a4417579d06e181d499aa47545cab119483babf6ce2
-
SSDEEP
12288:RJpHCmbiNIwPfWeBpD1tM2MH6YZLuKw3WDJV733EgpAcLxzbHpGFo:tCFPNpD1tM2MTZLE6I
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2712-23-0x0000000000090000-0x00000000000B6000-memory.dmp family_snakekeylogger behavioral1/memory/2712-20-0x0000000000090000-0x00000000000B6000-memory.dmp family_snakekeylogger behavioral1/memory/2712-16-0x0000000000090000-0x00000000000B6000-memory.dmp family_snakekeylogger behavioral1/memory/2712-14-0x0000000000090000-0x00000000000B6000-memory.dmp family_snakekeylogger behavioral1/memory/2712-9-0x0000000000090000-0x00000000000B6000-memory.dmp family_snakekeylogger behavioral1/memory/2712-10-0x0000000000090000-0x00000000000B6000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Order Inquiry.exedescription pid process target process PID 2036 set thread context of 2712 2036 Order Inquiry.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
RegAsm.exepid process 2712 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 2712 RegAsm.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Order Inquiry.exedescription pid process target process PID 2036 wrote to memory of 2712 2036 Order Inquiry.exe RegAsm.exe PID 2036 wrote to memory of 2712 2036 Order Inquiry.exe RegAsm.exe PID 2036 wrote to memory of 2712 2036 Order Inquiry.exe RegAsm.exe PID 2036 wrote to memory of 2712 2036 Order Inquiry.exe RegAsm.exe PID 2036 wrote to memory of 2712 2036 Order Inquiry.exe RegAsm.exe PID 2036 wrote to memory of 2712 2036 Order Inquiry.exe RegAsm.exe PID 2036 wrote to memory of 2712 2036 Order Inquiry.exe RegAsm.exe PID 2036 wrote to memory of 2712 2036 Order Inquiry.exe RegAsm.exe PID 2036 wrote to memory of 2712 2036 Order Inquiry.exe RegAsm.exe PID 2036 wrote to memory of 2712 2036 Order Inquiry.exe RegAsm.exe PID 2036 wrote to memory of 2712 2036 Order Inquiry.exe RegAsm.exe PID 2036 wrote to memory of 2712 2036 Order Inquiry.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Order Inquiry.exe"C:\Users\Admin\AppData\Local\Temp\Order Inquiry.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712