Analysis
-
max time kernel
117s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
28-09-2024 13:56
Static task
static1
Behavioral task
behavioral1
Sample
NewOrder.rtf
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
NewOrder.rtf
Resource
win10v2004-20240802-en
General
-
Target
NewOrder.rtf
-
Size
639KB
-
MD5
8e6d90f75e321a2a164fcb417dfce456
-
SHA1
a5210f5280396d3fe9b98262c00b94c5b111d2a6
-
SHA256
fcde1a9f1b5ebaaca80704a3b8b1de31bcea199cb1e935748c5e87a7264cd948
-
SHA512
b9b998b02847442a92c48ae0c066f74ca472a67cfa44e554d587bef883eb4466d6818c6020f98731f9c0db0160927bbd2a70d23ee5411c4b2b8674fb3c2e6308
-
SSDEEP
3072:OwAlawAlnoAzG9swFSQjkbYArXuFHkcDtQX4I8f1/:OwAYwAuAzwPSQjkbYA6F5tQX4I8f1/
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot7013350856:AAEMW-L9OH6xJPBSHadxtnabC3gFbH_e250/sendMessage?chat_id=7239159003
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
resource yara_rule behavioral1/memory/2404-30-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2404-31-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2404-28-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2404-25-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2404-23-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Blocklisted process makes network request 1 IoCs
flow pid Process 3 2424 EQNEDT32.EXE -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1848 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 2712 catgacy20306.exe 2404 catgacy20306.exe -
Loads dropped DLL 1 IoCs
pid Process 2424 EQNEDT32.EXE -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 catgacy20306.exe Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 catgacy20306.exe Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 catgacy20306.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 checkip.dyndns.org -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2712 set thread context of 2404 2712 catgacy20306.exe 36 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language catgacy20306.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language catgacy20306.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 2424 EQNEDT32.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2516 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2404 catgacy20306.exe 1848 powershell.exe 2404 catgacy20306.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2404 catgacy20306.exe Token: SeDebugPrivilege 1848 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2516 WINWORD.EXE 2516 WINWORD.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2424 wrote to memory of 2712 2424 EQNEDT32.EXE 32 PID 2424 wrote to memory of 2712 2424 EQNEDT32.EXE 32 PID 2424 wrote to memory of 2712 2424 EQNEDT32.EXE 32 PID 2424 wrote to memory of 2712 2424 EQNEDT32.EXE 32 PID 2516 wrote to memory of 2472 2516 WINWORD.EXE 34 PID 2516 wrote to memory of 2472 2516 WINWORD.EXE 34 PID 2516 wrote to memory of 2472 2516 WINWORD.EXE 34 PID 2516 wrote to memory of 2472 2516 WINWORD.EXE 34 PID 2712 wrote to memory of 1848 2712 catgacy20306.exe 35 PID 2712 wrote to memory of 1848 2712 catgacy20306.exe 35 PID 2712 wrote to memory of 1848 2712 catgacy20306.exe 35 PID 2712 wrote to memory of 1848 2712 catgacy20306.exe 35 PID 2712 wrote to memory of 2404 2712 catgacy20306.exe 36 PID 2712 wrote to memory of 2404 2712 catgacy20306.exe 36 PID 2712 wrote to memory of 2404 2712 catgacy20306.exe 36 PID 2712 wrote to memory of 2404 2712 catgacy20306.exe 36 PID 2712 wrote to memory of 2404 2712 catgacy20306.exe 36 PID 2712 wrote to memory of 2404 2712 catgacy20306.exe 36 PID 2712 wrote to memory of 2404 2712 catgacy20306.exe 36 PID 2712 wrote to memory of 2404 2712 catgacy20306.exe 36 PID 2712 wrote to memory of 2404 2712 catgacy20306.exe 36 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 catgacy20306.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 catgacy20306.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\NewOrder.rtf"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2472
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Users\Admin\AppData\Roaming\catgacy20306.exe"C:\Users\Admin\AppData\Roaming\catgacy20306.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\catgacy20306.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1848
-
-
C:\Users\Admin\AppData\Roaming\catgacy20306.exe"C:\Users\Admin\AppData\Roaming\catgacy20306.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2404
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Exploitation for Client Execution
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD5b318dfae5e676158f2b43202719dcf7d
SHA1c44b977fd64cd8ef677dd63b474c78d92b6be440
SHA2569d42875e10737bf405031de8d36223e5b739835cc34a738ab94950ff65d9324b
SHA5128520533dad7d53805ddaff12840c271e9e67594427a438ae99f71ea658ad986b5a34d82917546484f4d8de45cbb982fdf3a8e9683a6ad6d5d67793ad4c2fcc32
-
Filesize
511KB
MD5c708568841e7426ed728f8300ae36433
SHA11cfe76e27ec2d8ae98e081e143a7c00f7df025d2
SHA256501b615ea5b0ee2dc69848bb4146067fc94ceab1cf4a36385c35145a4acaa248
SHA512289eae7056addcca0c94041b3ae764d8d3b8e97a801d1818edfe05e38d9f34a45f04696e3d919c832a85f37a8413534fa7a8993d0792ab75e4ebbc34bb389268