Analysis
-
max time kernel
151s -
max time network
137s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 07:16
Static task
static1
Behavioral task
behavioral1
Sample
FedEx 772584418730.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
FedEx 772584418730.doc
Resource
win10v20201028
General
-
Target
FedEx 772584418730.doc
-
Size
405KB
-
MD5
4bb9d9ebae28b25d4175de0833236f18
-
SHA1
bb9301e242fd7bccb4f575b9c68393f464768df0
-
SHA256
cf6ff5724ebdc0f3d2e4667c8d82029cfe8c501ea127d44a9f01a767c2831ef2
-
SHA512
0caa3159400850efd33474a49688c24a188effb38175694c1bce104e98d342f40877ff30dda2a4f10cf3d31a924b463f52f6cfc52da4a924ee4b6f147658eb7f
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1652-38-0x000000000046364E-mapping.dmp family_snakekeylogger behavioral1/memory/1652-40-0x0000000000090000-0x00000000000F8000-memory.dmp family_snakekeylogger -
Blocklisted process makes network request 5 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1752 EQNEDT32.EXE 9 1752 EQNEDT32.EXE 10 1752 EQNEDT32.EXE 12 1752 EQNEDT32.EXE 14 1752 EQNEDT32.EXE -
Executes dropped EXE 3 IoCs
Processes:
69577.exejra.exeInstallUtil.exepid process 1944 69577.exe 1188 jra.exe 1652 InstallUtil.exe -
Loads dropped DLL 3 IoCs
Processes:
EQNEDT32.EXE69577.exejra.exepid process 1752 EQNEDT32.EXE 1944 69577.exe 1188 jra.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\fxyt = "C:\\Users\\Admin\\jra.exe" reg.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 checkip.dyndns.org 18 freegeoip.app 19 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
jra.exedescription pid process target process PID 1188 set thread context of 1652 1188 jra.exe InstallUtil.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2044 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
69577.exejra.exeInstallUtil.exepid process 1944 69577.exe 1944 69577.exe 1944 69577.exe 1944 69577.exe 1944 69577.exe 1188 jra.exe 1188 jra.exe 1652 InstallUtil.exe 1652 InstallUtil.exe 1652 InstallUtil.exe 1652 InstallUtil.exe 1652 InstallUtil.exe 1652 InstallUtil.exe 1652 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
69577.exejra.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 1944 69577.exe Token: SeDebugPrivilege 1188 jra.exe Token: SeDebugPrivilege 1652 InstallUtil.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2044 WINWORD.EXE 2044 WINWORD.EXE -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
WINWORD.EXEEQNEDT32.EXE69577.execmd.exejra.exedescription pid process target process PID 2044 wrote to memory of 1976 2044 WINWORD.EXE splwow64.exe PID 2044 wrote to memory of 1976 2044 WINWORD.EXE splwow64.exe PID 2044 wrote to memory of 1976 2044 WINWORD.EXE splwow64.exe PID 2044 wrote to memory of 1976 2044 WINWORD.EXE splwow64.exe PID 1752 wrote to memory of 1944 1752 EQNEDT32.EXE 69577.exe PID 1752 wrote to memory of 1944 1752 EQNEDT32.EXE 69577.exe PID 1752 wrote to memory of 1944 1752 EQNEDT32.EXE 69577.exe PID 1752 wrote to memory of 1944 1752 EQNEDT32.EXE 69577.exe PID 1944 wrote to memory of 1708 1944 69577.exe cmd.exe PID 1944 wrote to memory of 1708 1944 69577.exe cmd.exe PID 1944 wrote to memory of 1708 1944 69577.exe cmd.exe PID 1944 wrote to memory of 1708 1944 69577.exe cmd.exe PID 1708 wrote to memory of 1104 1708 cmd.exe reg.exe PID 1708 wrote to memory of 1104 1708 cmd.exe reg.exe PID 1708 wrote to memory of 1104 1708 cmd.exe reg.exe PID 1708 wrote to memory of 1104 1708 cmd.exe reg.exe PID 1944 wrote to memory of 1188 1944 69577.exe jra.exe PID 1944 wrote to memory of 1188 1944 69577.exe jra.exe PID 1944 wrote to memory of 1188 1944 69577.exe jra.exe PID 1944 wrote to memory of 1188 1944 69577.exe jra.exe PID 1188 wrote to memory of 1652 1188 jra.exe InstallUtil.exe PID 1188 wrote to memory of 1652 1188 jra.exe InstallUtil.exe PID 1188 wrote to memory of 1652 1188 jra.exe InstallUtil.exe PID 1188 wrote to memory of 1652 1188 jra.exe InstallUtil.exe PID 1188 wrote to memory of 1652 1188 jra.exe InstallUtil.exe PID 1188 wrote to memory of 1652 1188 jra.exe InstallUtil.exe PID 1188 wrote to memory of 1652 1188 jra.exe InstallUtil.exe PID 1188 wrote to memory of 1652 1188 jra.exe InstallUtil.exe PID 1188 wrote to memory of 1652 1188 jra.exe InstallUtil.exe PID 1188 wrote to memory of 1652 1188 jra.exe InstallUtil.exe PID 1188 wrote to memory of 1652 1188 jra.exe InstallUtil.exe PID 1188 wrote to memory of 1652 1188 jra.exe InstallUtil.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\FedEx 772584418730.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1976
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Public\69577.exe"C:\Users\Public\69577.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "fxyt" /t REG_SZ /d "C:\Users\Admin\jra.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "fxyt" /t REG_SZ /d "C:\Users\Admin\jra.exe"4⤵
- Adds Run key to start application
PID:1104 -
C:\Users\Admin\jra.exe"C:\Users\Admin\jra.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeMD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeMD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4IURMFL2.txtMD5
45d4cbb86774ca8163425b7bbed6184d
SHA101084d51ef406b634afd89fcd8b25edf24588294
SHA256f50211f1ce7fe15009d189804880df09063678ea556bec57a190a03600de4d62
SHA512e8f18d3a8d106c78a15f42f0a727775426d352fa601dd35d7a79daad74f16da5d5b7465e73f2e32067d5fbd3ab2629dea09dc4759f648e8fa16b01f9f407d68e
-
C:\Users\Admin\jra.exeMD5
717d346bd75687b1141a5ba89e06a42c
SHA1a8b7a4a15866609c19c7f4e3b0f0f460c76b14e9
SHA2562ffa6649ad0da183479cf5b33f23cf2b5ec55fa2171e144207032f94eb1fddc2
SHA51246bc4a8836abccf0bb2bba92802b70bc1d8eb543dbeee9923668a6cc4037b73533773b688257a34d082e1a4b947d189b3553caf410183cf1ad4517c520b987de
-
C:\Users\Admin\jra.exeMD5
717d346bd75687b1141a5ba89e06a42c
SHA1a8b7a4a15866609c19c7f4e3b0f0f460c76b14e9
SHA2562ffa6649ad0da183479cf5b33f23cf2b5ec55fa2171e144207032f94eb1fddc2
SHA51246bc4a8836abccf0bb2bba92802b70bc1d8eb543dbeee9923668a6cc4037b73533773b688257a34d082e1a4b947d189b3553caf410183cf1ad4517c520b987de
-
C:\Users\Public\69577.exeMD5
717d346bd75687b1141a5ba89e06a42c
SHA1a8b7a4a15866609c19c7f4e3b0f0f460c76b14e9
SHA2562ffa6649ad0da183479cf5b33f23cf2b5ec55fa2171e144207032f94eb1fddc2
SHA51246bc4a8836abccf0bb2bba92802b70bc1d8eb543dbeee9923668a6cc4037b73533773b688257a34d082e1a4b947d189b3553caf410183cf1ad4517c520b987de
-
C:\Users\Public\69577.exeMD5
717d346bd75687b1141a5ba89e06a42c
SHA1a8b7a4a15866609c19c7f4e3b0f0f460c76b14e9
SHA2562ffa6649ad0da183479cf5b33f23cf2b5ec55fa2171e144207032f94eb1fddc2
SHA51246bc4a8836abccf0bb2bba92802b70bc1d8eb543dbeee9923668a6cc4037b73533773b688257a34d082e1a4b947d189b3553caf410183cf1ad4517c520b987de
-
\Users\Admin\AppData\Local\Temp\InstallUtil.exeMD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
\Users\Admin\jra.exeMD5
717d346bd75687b1141a5ba89e06a42c
SHA1a8b7a4a15866609c19c7f4e3b0f0f460c76b14e9
SHA2562ffa6649ad0da183479cf5b33f23cf2b5ec55fa2171e144207032f94eb1fddc2
SHA51246bc4a8836abccf0bb2bba92802b70bc1d8eb543dbeee9923668a6cc4037b73533773b688257a34d082e1a4b947d189b3553caf410183cf1ad4517c520b987de
-
\Users\Public\69577.exeMD5
717d346bd75687b1141a5ba89e06a42c
SHA1a8b7a4a15866609c19c7f4e3b0f0f460c76b14e9
SHA2562ffa6649ad0da183479cf5b33f23cf2b5ec55fa2171e144207032f94eb1fddc2
SHA51246bc4a8836abccf0bb2bba92802b70bc1d8eb543dbeee9923668a6cc4037b73533773b688257a34d082e1a4b947d189b3553caf410183cf1ad4517c520b987de
-
memory/792-8-0x000007FEF6510000-0x000007FEF678A000-memory.dmpFilesize
2.5MB
-
memory/1104-20-0x0000000000000000-mapping.dmp
-
memory/1188-33-0x0000000000BE0000-0x0000000000BE1000-memory.dmpFilesize
4KB
-
memory/1188-27-0x0000000000C40000-0x0000000000C41000-memory.dmpFilesize
4KB
-
memory/1188-32-0x0000000000650000-0x000000000065B000-memory.dmpFilesize
44KB
-
memory/1188-23-0x0000000000000000-mapping.dmp
-
memory/1188-36-0x0000000004BD1000-0x0000000004BD2000-memory.dmpFilesize
4KB
-
memory/1188-31-0x0000000004BD0000-0x0000000004BD1000-memory.dmpFilesize
4KB
-
memory/1188-26-0x000000006AFD0000-0x000000006B6BE000-memory.dmpFilesize
6.9MB
-
memory/1652-49-0x0000000004A70000-0x0000000004A71000-memory.dmpFilesize
4KB
-
memory/1652-42-0x0000000000090000-0x0000000000092000-memory.dmpFilesize
8KB
-
memory/1652-41-0x000000006AFD0000-0x000000006B6BE000-memory.dmpFilesize
6.9MB
-
memory/1652-40-0x0000000000090000-0x00000000000F8000-memory.dmpFilesize
416KB
-
memory/1652-38-0x000000000046364E-mapping.dmp
-
memory/1708-19-0x0000000000000000-mapping.dmp
-
memory/1752-7-0x0000000075251000-0x0000000075253000-memory.dmpFilesize
8KB
-
memory/1944-13-0x000000006AFD0000-0x000000006B6BE000-memory.dmpFilesize
6.9MB
-
memory/1944-10-0x0000000000000000-mapping.dmp
-
memory/1944-16-0x0000000000410000-0x000000000042E000-memory.dmpFilesize
120KB
-
memory/1944-21-0x00000000005A1000-0x00000000005A2000-memory.dmpFilesize
4KB
-
memory/1944-14-0x0000000000E80000-0x0000000000E81000-memory.dmpFilesize
4KB
-
memory/1944-18-0x00000000005A0000-0x00000000005A1000-memory.dmpFilesize
4KB
-
memory/1944-17-0x0000000000440000-0x0000000000441000-memory.dmpFilesize
4KB
-
memory/1976-6-0x000007FEFC011000-0x000007FEFC013000-memory.dmpFilesize
8KB
-
memory/1976-5-0x0000000000000000-mapping.dmp
-
memory/2044-2-0x0000000072971000-0x0000000072974000-memory.dmpFilesize
12KB
-
memory/2044-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2044-3-0x00000000703F1000-0x00000000703F3000-memory.dmpFilesize
8KB