snakekeylogger | 03cdab92c6e2cf5df9fd307cba44334d112a0dbf3d497effe798ee6881de00f2

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7v20201028
submitted
18-01-2021 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMG_71103.doc
Size

579KB
MD5

336ce8279d6f4852a60c45c01a76c983
SHA1

568bbda16104bee5125b860670fc5c0bc5e93250
SHA256

03cdab92c6e2cf5df9fd307cba44334d112a0dbf3d497effe798ee6881de00f2
SHA512

dffcc9d2d0d3e608012c59f8a7ae5754849d1c0493b0207398654a117ffd3de2b07cce09dc116d348ceb3860695cde0e6071503c66e995c99944b014eb161802

Score

10^/10

snakekeylogger keylogger persistence spyware stealer

Malware Config

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/960-37-0x0000000000400000-0x0000000000468000-memory.dmp	family_snakekeylogger
behavioral1/memory/960-38-0x000000000046372E-mapping.dmp	family_snakekeylogger
behavioral1/memory/960-41-0x0000000000400000-0x0000000000468000-memory.dmp	family_snakekeylogger

Blocklisted process makes network request 5 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1632 EQNEDT32.EXE
9 1632 EQNEDT32.EXE
10 1632 EQNEDT32.EXE
12 1632 EQNEDT32.EXE
14 1632 EQNEDT32.EXE
Executes dropped EXE 3 IoCs

Processes:

69577.exescis.exeInstallUtil.exe

pid process

1020 69577.exe
860 scis.exe
960 InstallUtil.exe
Loads dropped DLL 3 IoCs

Processes:

EQNEDT32.EXE69577.exescis.exe

pid process

1632 EQNEDT32.EXE
1020 69577.exe
860 scis.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
7	1632	EQNEDT32.EXE
9	1632	EQNEDT32.EXE
10	1632	EQNEDT32.EXE
12	1632	EQNEDT32.EXE
14	1632	EQNEDT32.EXE

pid	process
1632	EQNEDT32.EXE
1020	69577.exe
860	scis.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\not = "C:\\Users\\Admin\\scis.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 checkip.dyndns.org
18 freegeoip.app
19 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

scis.exe

description pid process target process

PID 860 set thread context of 960 860 scis.exe InstallUtil.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1632 EQNEDT32.EXE

flow	ioc
15	checkip.dyndns.org
18	freegeoip.app
19	freegeoip.app

description	pid	process	target process
PID 860 set thread context of 960	860	scis.exe	InstallUtil.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1632	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1864 WINWORD.EXE

pid	process
1864	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

69577.exescis.exeInstallUtil.exe

pid	process
1020	69577.exe
1020	69577.exe
1020	69577.exe
860	scis.exe
860	scis.exe
960	InstallUtil.exe
960	InstallUtil.exe
960	InstallUtil.exe
960	InstallUtil.exe
960	InstallUtil.exe
960	InstallUtil.exe
960	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

69577.exescis.exeInstallUtil.exe

description pid process

Token: SeDebugPrivilege 1020 69577.exe
Token: SeDebugPrivilege 860 scis.exe
Token: SeDebugPrivilege 960 InstallUtil.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1864 WINWORD.EXE
1864 WINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	1020	69577.exe
Token: SeDebugPrivilege	860	scis.exe
Token: SeDebugPrivilege	960	InstallUtil.exe

pid	process
1864	WINWORD.EXE
1864	WINWORD.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

WINWORD.EXEEQNEDT32.EXE69577.execmd.exescis.exe

description	pid	process	target process
PID 1864 wrote to memory of 2020	1864	WINWORD.EXE	splwow64.exe
PID 1864 wrote to memory of 2020	1864	WINWORD.EXE	splwow64.exe
PID 1864 wrote to memory of 2020	1864	WINWORD.EXE	splwow64.exe
PID 1864 wrote to memory of 2020	1864	WINWORD.EXE	splwow64.exe
PID 1632 wrote to memory of 1020	1632	EQNEDT32.EXE	69577.exe
PID 1632 wrote to memory of 1020	1632	EQNEDT32.EXE	69577.exe
PID 1632 wrote to memory of 1020	1632	EQNEDT32.EXE	69577.exe
PID 1632 wrote to memory of 1020	1632	EQNEDT32.EXE	69577.exe
PID 1020 wrote to memory of 1624	1020	69577.exe	cmd.exe
PID 1020 wrote to memory of 1624	1020	69577.exe	cmd.exe
PID 1020 wrote to memory of 1624	1020	69577.exe	cmd.exe
PID 1020 wrote to memory of 1624	1020	69577.exe	cmd.exe
PID 1624 wrote to memory of 1596	1624	cmd.exe	reg.exe
PID 1624 wrote to memory of 1596	1624	cmd.exe	reg.exe
PID 1624 wrote to memory of 1596	1624	cmd.exe	reg.exe
PID 1624 wrote to memory of 1596	1624	cmd.exe	reg.exe
PID 1020 wrote to memory of 860	1020	69577.exe	scis.exe
PID 1020 wrote to memory of 860	1020	69577.exe	scis.exe
PID 1020 wrote to memory of 860	1020	69577.exe	scis.exe
PID 1020 wrote to memory of 860	1020	69577.exe	scis.exe
PID 860 wrote to memory of 960	860	scis.exe	InstallUtil.exe
PID 860 wrote to memory of 960	860	scis.exe	InstallUtil.exe
PID 860 wrote to memory of 960	860	scis.exe	InstallUtil.exe
PID 860 wrote to memory of 960	860	scis.exe	InstallUtil.exe
PID 860 wrote to memory of 960	860	scis.exe	InstallUtil.exe
PID 860 wrote to memory of 960	860	scis.exe	InstallUtil.exe
PID 860 wrote to memory of 960	860	scis.exe	InstallUtil.exe
PID 860 wrote to memory of 960	860	scis.exe	InstallUtil.exe
PID 860 wrote to memory of 960	860	scis.exe	InstallUtil.exe
PID 860 wrote to memory of 960	860	scis.exe	InstallUtil.exe
PID 860 wrote to memory of 960	860	scis.exe	InstallUtil.exe
PID 860 wrote to memory of 960	860	scis.exe	InstallUtil.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\IMG_71103.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2020

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Users\Public\69577.exe
  "C:\Users\Public\69577.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1020
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "not" /t REG_SZ /d "C:\Users\Admin\scis.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "not" /t REG_SZ /d "C:\Users\Admin\scis.exe"
      4⤵
      Adds Run key to start application
      PID:1596
- - C:\Users\Admin\scis.exe
    "C:\Users\Admin\scis.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:860
  - - C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ZCUB0EQB.txt

MD5
4dd1f8c37917c53822775fa54dad24a0

SHA1
b41f6095e5578bdb18e09d551b058fc5023861b5

SHA256
79dcf041ca72ba19d9c857e45b7179aef104ab561ca3f3fe0e1c7678a0c00301

SHA512
dab3f44f4de69d22165dacbe021e1a1f2eb7deabf111c71489595070fc0c8c1a3410ecab8b6dd286092b30f6ee94b4f53ec0f1e09485e6b53cb26647c9419e72

Download Submit
C:\Users\Admin\scis.exe

MD5
96677fa4409a98a04a9c87737eb1f167

SHA1
0a21c71633a30db91f5b6572ca8e283ed3229109

SHA256
bd0d59702d2d99ee59e5d10834c234e2fa98bfb4d02b19500f3a67bbff70e7d5

SHA512
548b9b3f207cfce453221d08bc11d247aeae376d7ee8d68c7cdf38d4762f52d4a62d56fc6682df6b007cd11be93c2281ea48ed498704257da1e4da519ccef4ca

Download Submit
C:\Users\Admin\scis.exe

MD5
96677fa4409a98a04a9c87737eb1f167

SHA1
0a21c71633a30db91f5b6572ca8e283ed3229109

SHA256
bd0d59702d2d99ee59e5d10834c234e2fa98bfb4d02b19500f3a67bbff70e7d5

SHA512
548b9b3f207cfce453221d08bc11d247aeae376d7ee8d68c7cdf38d4762f52d4a62d56fc6682df6b007cd11be93c2281ea48ed498704257da1e4da519ccef4ca

Download Submit
C:\Users\Public\69577.exe

MD5
96677fa4409a98a04a9c87737eb1f167

SHA1
0a21c71633a30db91f5b6572ca8e283ed3229109

SHA256
bd0d59702d2d99ee59e5d10834c234e2fa98bfb4d02b19500f3a67bbff70e7d5

SHA512
548b9b3f207cfce453221d08bc11d247aeae376d7ee8d68c7cdf38d4762f52d4a62d56fc6682df6b007cd11be93c2281ea48ed498704257da1e4da519ccef4ca

Download Submit
C:\Users\Public\69577.exe

MD5
96677fa4409a98a04a9c87737eb1f167

SHA1
0a21c71633a30db91f5b6572ca8e283ed3229109

SHA256
bd0d59702d2d99ee59e5d10834c234e2fa98bfb4d02b19500f3a67bbff70e7d5

SHA512
548b9b3f207cfce453221d08bc11d247aeae376d7ee8d68c7cdf38d4762f52d4a62d56fc6682df6b007cd11be93c2281ea48ed498704257da1e4da519ccef4ca

Download Submit
\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
\Users\Admin\scis.exe

MD5
96677fa4409a98a04a9c87737eb1f167

SHA1
0a21c71633a30db91f5b6572ca8e283ed3229109

SHA256
bd0d59702d2d99ee59e5d10834c234e2fa98bfb4d02b19500f3a67bbff70e7d5

SHA512
548b9b3f207cfce453221d08bc11d247aeae376d7ee8d68c7cdf38d4762f52d4a62d56fc6682df6b007cd11be93c2281ea48ed498704257da1e4da519ccef4ca

Download Submit
\Users\Public\69577.exe

MD5
96677fa4409a98a04a9c87737eb1f167

SHA1
0a21c71633a30db91f5b6572ca8e283ed3229109

SHA256
bd0d59702d2d99ee59e5d10834c234e2fa98bfb4d02b19500f3a67bbff70e7d5

SHA512
548b9b3f207cfce453221d08bc11d247aeae376d7ee8d68c7cdf38d4762f52d4a62d56fc6682df6b007cd11be93c2281ea48ed498704257da1e4da519ccef4ca

Download Submit
memory/612-8-0x000007FEF7810000-0x000007FEF7A8A000-memory.dmp

Filesize
2.5MB

Download
memory/860-33-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/860-36-0x0000000000A01000-0x0000000000A02000-memory.dmp

Filesize
4KB

Download
memory/860-32-0x00000000007D0000-0x00000000007DB000-memory.dmp

Filesize
44KB

Download
memory/860-31-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/860-27-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/860-26-0x000000006AFC0000-0x000000006B6AE000-memory.dmp

Filesize
6.9MB

Download
memory/860-23-0x0000000000000000-mapping.dmp

Download
memory/960-43-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/960-38-0x000000000046372E-mapping.dmp

Download
memory/960-37-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/960-40-0x000000006AFC0000-0x000000006B6AE000-memory.dmp

Filesize
6.9MB

Download
memory/960-41-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1020-10-0x0000000000000000-mapping.dmp

Download
memory/1020-18-0x0000000002000000-0x0000000002001000-memory.dmp

Filesize
4KB

Download
memory/1020-17-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/1020-16-0x00000000004C0000-0x00000000004DE000-memory.dmp

Filesize
120KB

Download
memory/1020-21-0x0000000002001000-0x0000000002002000-memory.dmp

Filesize
4KB

Download
memory/1020-14-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/1020-13-0x000000006AFC0000-0x000000006B6AE000-memory.dmp

Filesize
6.9MB

Download
memory/1596-20-0x0000000000000000-mapping.dmp

Download
memory/1624-19-0x0000000000000000-mapping.dmp

Download
memory/1632-7-0x00000000760B1000-0x00000000760B3000-memory.dmp

Filesize
8KB

Download
memory/1864-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1864-2-0x0000000072501000-0x0000000072504000-memory.dmp

Filesize
12KB

Download
memory/1864-3-0x000000006FF81000-0x000000006FF83000-memory.dmp

Filesize
8KB

Download
memory/2020-5-0x0000000000000000-mapping.dmp

Download
memory/2020-6-0x000007FEFBA01000-0x000007FEFBA03000-memory.dmp

Filesize
8KB

Download