snakekeylogger | cf6ff5724ebdc0f3d2e4667c8d82029cfe8c501ea127d44a9f01a767c2831ef2

Analysis

max time kernel
151s
max time network
137s
platform
windows7_x64
resource
win7v20201028
submitted
18-01-2021 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FedEx 772584418730.doc
Size

405KB
MD5

4bb9d9ebae28b25d4175de0833236f18
SHA1

bb9301e242fd7bccb4f575b9c68393f464768df0
SHA256

cf6ff5724ebdc0f3d2e4667c8d82029cfe8c501ea127d44a9f01a767c2831ef2
SHA512

0caa3159400850efd33474a49688c24a188effb38175694c1bce104e98d342f40877ff30dda2a4f10cf3d31a924b463f52f6cfc52da4a924ee4b6f147658eb7f

Score

10^/10

snakekeylogger keylogger persistence spyware stealer

Malware Config

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1652-38-0x000000000046364E-mapping.dmp	family_snakekeylogger
behavioral1/memory/1652-40-0x0000000000090000-0x00000000000F8000-memory.dmp	family_snakekeylogger

Blocklisted process makes network request 5 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1752 EQNEDT32.EXE
9 1752 EQNEDT32.EXE
10 1752 EQNEDT32.EXE
12 1752 EQNEDT32.EXE
14 1752 EQNEDT32.EXE
Executes dropped EXE 3 IoCs

Processes:

69577.exejra.exeInstallUtil.exe

pid process

1944 69577.exe
1188 jra.exe
1652 InstallUtil.exe
Loads dropped DLL 3 IoCs

Processes:

EQNEDT32.EXE69577.exejra.exe

pid process

1752 EQNEDT32.EXE
1944 69577.exe
1188 jra.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
7	1752	EQNEDT32.EXE
9	1752	EQNEDT32.EXE
10	1752	EQNEDT32.EXE
12	1752	EQNEDT32.EXE
14	1752	EQNEDT32.EXE

pid	process
1752	EQNEDT32.EXE
1944	69577.exe
1188	jra.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\fxyt = "C:\\Users\\Admin\\jra.exe"	reg.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 checkip.dyndns.org
18 freegeoip.app
19 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

jra.exe

description pid process target process

PID 1188 set thread context of 1652 1188 jra.exe InstallUtil.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1752 EQNEDT32.EXE

flow	ioc
15	checkip.dyndns.org
18	freegeoip.app
19	freegeoip.app

description	pid	process	target process
PID 1188 set thread context of 1652	1188	jra.exe	InstallUtil.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1752	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2044 WINWORD.EXE

pid	process
2044	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

69577.exejra.exeInstallUtil.exe

pid	process
1944	69577.exe
1944	69577.exe
1944	69577.exe
1944	69577.exe
1944	69577.exe
1188	jra.exe
1188	jra.exe
1652	InstallUtil.exe
1652	InstallUtil.exe
1652	InstallUtil.exe
1652	InstallUtil.exe
1652	InstallUtil.exe
1652	InstallUtil.exe
1652	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

69577.exejra.exeInstallUtil.exe

description pid process

Token: SeDebugPrivilege 1944 69577.exe
Token: SeDebugPrivilege 1188 jra.exe
Token: SeDebugPrivilege 1652 InstallUtil.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2044 WINWORD.EXE
2044 WINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	1944	69577.exe
Token: SeDebugPrivilege	1188	jra.exe
Token: SeDebugPrivilege	1652	InstallUtil.exe

pid	process
2044	WINWORD.EXE
2044	WINWORD.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

WINWORD.EXEEQNEDT32.EXE69577.execmd.exejra.exe

description	pid	process	target process
PID 2044 wrote to memory of 1976	2044	WINWORD.EXE	splwow64.exe
PID 2044 wrote to memory of 1976	2044	WINWORD.EXE	splwow64.exe
PID 2044 wrote to memory of 1976	2044	WINWORD.EXE	splwow64.exe
PID 2044 wrote to memory of 1976	2044	WINWORD.EXE	splwow64.exe
PID 1752 wrote to memory of 1944	1752	EQNEDT32.EXE	69577.exe
PID 1752 wrote to memory of 1944	1752	EQNEDT32.EXE	69577.exe
PID 1752 wrote to memory of 1944	1752	EQNEDT32.EXE	69577.exe
PID 1752 wrote to memory of 1944	1752	EQNEDT32.EXE	69577.exe
PID 1944 wrote to memory of 1708	1944	69577.exe	cmd.exe
PID 1944 wrote to memory of 1708	1944	69577.exe	cmd.exe
PID 1944 wrote to memory of 1708	1944	69577.exe	cmd.exe
PID 1944 wrote to memory of 1708	1944	69577.exe	cmd.exe
PID 1708 wrote to memory of 1104	1708	cmd.exe	reg.exe
PID 1708 wrote to memory of 1104	1708	cmd.exe	reg.exe
PID 1708 wrote to memory of 1104	1708	cmd.exe	reg.exe
PID 1708 wrote to memory of 1104	1708	cmd.exe	reg.exe
PID 1944 wrote to memory of 1188	1944	69577.exe	jra.exe
PID 1944 wrote to memory of 1188	1944	69577.exe	jra.exe
PID 1944 wrote to memory of 1188	1944	69577.exe	jra.exe
PID 1944 wrote to memory of 1188	1944	69577.exe	jra.exe
PID 1188 wrote to memory of 1652	1188	jra.exe	InstallUtil.exe
PID 1188 wrote to memory of 1652	1188	jra.exe	InstallUtil.exe
PID 1188 wrote to memory of 1652	1188	jra.exe	InstallUtil.exe
PID 1188 wrote to memory of 1652	1188	jra.exe	InstallUtil.exe
PID 1188 wrote to memory of 1652	1188	jra.exe	InstallUtil.exe
PID 1188 wrote to memory of 1652	1188	jra.exe	InstallUtil.exe
PID 1188 wrote to memory of 1652	1188	jra.exe	InstallUtil.exe
PID 1188 wrote to memory of 1652	1188	jra.exe	InstallUtil.exe
PID 1188 wrote to memory of 1652	1188	jra.exe	InstallUtil.exe
PID 1188 wrote to memory of 1652	1188	jra.exe	InstallUtil.exe
PID 1188 wrote to memory of 1652	1188	jra.exe	InstallUtil.exe
PID 1188 wrote to memory of 1652	1188	jra.exe	InstallUtil.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\FedEx 772584418730.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1976

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Public\69577.exe
"C:\Users\Public\69577.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "fxyt" /t REG_SZ /d "C:\Users\Admin\jra.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "fxyt" /t REG_SZ /d "C:\Users\Admin\jra.exe"
4⤵
- Adds Run key to start application
PID:1104

C:\Users\Admin\jra.exe
"C:\Users\Admin\jra.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4IURMFL2.txt
MD5
45d4cbb86774ca8163425b7bbed6184d

SHA1
01084d51ef406b634afd89fcd8b25edf24588294

SHA256
f50211f1ce7fe15009d189804880df09063678ea556bec57a190a03600de4d62

SHA512
e8f18d3a8d106c78a15f42f0a727775426d352fa601dd35d7a79daad74f16da5d5b7465e73f2e32067d5fbd3ab2629dea09dc4759f648e8fa16b01f9f407d68e

Download Submit
C:\Users\Admin\jra.exe
MD5
717d346bd75687b1141a5ba89e06a42c

SHA1
a8b7a4a15866609c19c7f4e3b0f0f460c76b14e9

SHA256
2ffa6649ad0da183479cf5b33f23cf2b5ec55fa2171e144207032f94eb1fddc2

SHA512
46bc4a8836abccf0bb2bba92802b70bc1d8eb543dbeee9923668a6cc4037b73533773b688257a34d082e1a4b947d189b3553caf410183cf1ad4517c520b987de

Download Submit
C:\Users\Admin\jra.exe
MD5
717d346bd75687b1141a5ba89e06a42c

SHA1
a8b7a4a15866609c19c7f4e3b0f0f460c76b14e9

SHA256
2ffa6649ad0da183479cf5b33f23cf2b5ec55fa2171e144207032f94eb1fddc2

SHA512
46bc4a8836abccf0bb2bba92802b70bc1d8eb543dbeee9923668a6cc4037b73533773b688257a34d082e1a4b947d189b3553caf410183cf1ad4517c520b987de

Download Submit
C:\Users\Public\69577.exe
MD5
717d346bd75687b1141a5ba89e06a42c

SHA1
a8b7a4a15866609c19c7f4e3b0f0f460c76b14e9

SHA256
2ffa6649ad0da183479cf5b33f23cf2b5ec55fa2171e144207032f94eb1fddc2

SHA512
46bc4a8836abccf0bb2bba92802b70bc1d8eb543dbeee9923668a6cc4037b73533773b688257a34d082e1a4b947d189b3553caf410183cf1ad4517c520b987de

Download Submit
C:\Users\Public\69577.exe
MD5
717d346bd75687b1141a5ba89e06a42c

SHA1
a8b7a4a15866609c19c7f4e3b0f0f460c76b14e9

SHA256
2ffa6649ad0da183479cf5b33f23cf2b5ec55fa2171e144207032f94eb1fddc2

SHA512
46bc4a8836abccf0bb2bba92802b70bc1d8eb543dbeee9923668a6cc4037b73533773b688257a34d082e1a4b947d189b3553caf410183cf1ad4517c520b987de

Download Submit
\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
\Users\Admin\jra.exe
MD5
717d346bd75687b1141a5ba89e06a42c

SHA1
a8b7a4a15866609c19c7f4e3b0f0f460c76b14e9

SHA256
2ffa6649ad0da183479cf5b33f23cf2b5ec55fa2171e144207032f94eb1fddc2

SHA512
46bc4a8836abccf0bb2bba92802b70bc1d8eb543dbeee9923668a6cc4037b73533773b688257a34d082e1a4b947d189b3553caf410183cf1ad4517c520b987de

Download Submit
\Users\Public\69577.exe
MD5
717d346bd75687b1141a5ba89e06a42c

SHA1
a8b7a4a15866609c19c7f4e3b0f0f460c76b14e9

SHA256
2ffa6649ad0da183479cf5b33f23cf2b5ec55fa2171e144207032f94eb1fddc2

SHA512
46bc4a8836abccf0bb2bba92802b70bc1d8eb543dbeee9923668a6cc4037b73533773b688257a34d082e1a4b947d189b3553caf410183cf1ad4517c520b987de

Download Submit
memory/792-8-0x000007FEF6510000-0x000007FEF678A000-memory.dmp

Filesize
2.5MB

Download
memory/1104-20-0x0000000000000000-mapping.dmp

Download
memory/1188-33-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/1188-27-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/1188-32-0x0000000000650000-0x000000000065B000-memory.dmp

Filesize
44KB

Download
memory/1188-23-0x0000000000000000-mapping.dmp

Download
memory/1188-36-0x0000000004BD1000-0x0000000004BD2000-memory.dmp

Filesize
4KB

Download
memory/1188-31-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/1188-26-0x000000006AFD0000-0x000000006B6BE000-memory.dmp

Filesize
6.9MB

Download
memory/1652-49-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/1652-42-0x0000000000090000-0x0000000000092000-memory.dmp

Filesize
8KB

Download
memory/1652-41-0x000000006AFD0000-0x000000006B6BE000-memory.dmp

Filesize
6.9MB

Download
memory/1652-40-0x0000000000090000-0x00000000000F8000-memory.dmp

Filesize
416KB

Download
memory/1652-38-0x000000000046364E-mapping.dmp

Download
memory/1708-19-0x0000000000000000-mapping.dmp

Download
memory/1752-7-0x0000000075251000-0x0000000075253000-memory.dmp

Filesize
8KB

Download
memory/1944-13-0x000000006AFD0000-0x000000006B6BE000-memory.dmp

Filesize
6.9MB

Download
memory/1944-10-0x0000000000000000-mapping.dmp

Download
memory/1944-16-0x0000000000410000-0x000000000042E000-memory.dmp

Filesize
120KB

Download
memory/1944-21-0x00000000005A1000-0x00000000005A2000-memory.dmp

Filesize
4KB

Download
memory/1944-14-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/1944-18-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1944-17-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/1976-6-0x000007FEFC011000-0x000007FEFC013000-memory.dmp

Filesize
8KB

Download
memory/1976-5-0x0000000000000000-mapping.dmp

Download
memory/2044-2-0x0000000072971000-0x0000000072974000-memory.dmp

Filesize
12KB

Download
memory/2044-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2044-3-0x00000000703F1000-0x00000000703F3000-memory.dmp

Filesize
8KB

Download