Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    22-01-2021 07:09

General

  • Target

    RFQSDCL1005C1N5STDFM01.doc

  • Size

    991KB

  • MD5

    09d4af0b227dc3974954cc05f28bf8bc

  • SHA1

    473e5ddb68275afba681213c7293219f93c8a7d4

  • SHA256

    7fe770f2a75d693076b3f2c81baa8bf27ba82d84b287bb5df381cc214b95eb6b

  • SHA512

    8d1a0be85fb32f53975d9aabf4510690aa4561eb81aa558e2404211595ba7288bdb5798d8389d3c3fd77fe4ba7d65c999f3b92f01626a9e18d6d9d91ca976689

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.tavmachine.com
  • Port:
    587
  • Username:
    m.michy@tavmachine.com
  • Password:
    G{y7.W#Ni!-A

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

  • Snake Keylogger Payload 3 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Program crash 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RFQSDCL1005C1N5STDFM01.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1832
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1412
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:1872
      • C:\Users\Public\69577.exe
        "C:\Users\Public\69577.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:944
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
          "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Public\69577.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
          3⤵
          • Drops startup file
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:752
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:764
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 1132
          3⤵
          • Loads dropped DLL
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2020

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Execution

    Exploitation for Client Execution

    1
    T1203

    Defense Evasion

    Modify Registry

    1
    T1112

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\5DFWELRG.txt
      MD5

      fd0b2c83393d3b8c4a9455197dc6580f

      SHA1

      20044164d120e02d8e9694b405113585d8bb5e27

      SHA256

      e6c19d92d0bdc2b3199159ea62cd9b672ffca19e9b42768af1c8aed5564ffbc2

      SHA512

      e4fe315f87d5541de098b0e011609960c3bca05e2b1c3d4aad07572763212c7f8999e2a46094ffb11da962ad0a67988a11de9c1bc8d81bd8fc0a2cf0adb31031

    • C:\Users\Public\69577.exe
      MD5

      c7b57a6ecc4533c754e1c04789e242d0

      SHA1

      c252dbd1653bbfc5bb2941b8965c9daf41e066f6

      SHA256

      8b720e30117cfb204a068bfea7b482d1dfef2966fa32ecc2cabc3fe488674258

      SHA512

      95c3fff30f403addb4bbd74e86349303d14fa7ffe78c0e511145ac56b7b498842c774ff0e3d8636f3cee9dfb8b7cf4c80ebbce991e2d572afecf3bf593afcac8

    • C:\Users\Public\69577.exe
      MD5

      c7b57a6ecc4533c754e1c04789e242d0

      SHA1

      c252dbd1653bbfc5bb2941b8965c9daf41e066f6

      SHA256

      8b720e30117cfb204a068bfea7b482d1dfef2966fa32ecc2cabc3fe488674258

      SHA512

      95c3fff30f403addb4bbd74e86349303d14fa7ffe78c0e511145ac56b7b498842c774ff0e3d8636f3cee9dfb8b7cf4c80ebbce991e2d572afecf3bf593afcac8

    • \Users\Public\69577.exe
      MD5

      c7b57a6ecc4533c754e1c04789e242d0

      SHA1

      c252dbd1653bbfc5bb2941b8965c9daf41e066f6

      SHA256

      8b720e30117cfb204a068bfea7b482d1dfef2966fa32ecc2cabc3fe488674258

      SHA512

      95c3fff30f403addb4bbd74e86349303d14fa7ffe78c0e511145ac56b7b498842c774ff0e3d8636f3cee9dfb8b7cf4c80ebbce991e2d572afecf3bf593afcac8

    • \Users\Public\69577.exe
      MD5

      c7b57a6ecc4533c754e1c04789e242d0

      SHA1

      c252dbd1653bbfc5bb2941b8965c9daf41e066f6

      SHA256

      8b720e30117cfb204a068bfea7b482d1dfef2966fa32ecc2cabc3fe488674258

      SHA512

      95c3fff30f403addb4bbd74e86349303d14fa7ffe78c0e511145ac56b7b498842c774ff0e3d8636f3cee9dfb8b7cf4c80ebbce991e2d572afecf3bf593afcac8

    • \Users\Public\69577.exe
      MD5

      c7b57a6ecc4533c754e1c04789e242d0

      SHA1

      c252dbd1653bbfc5bb2941b8965c9daf41e066f6

      SHA256

      8b720e30117cfb204a068bfea7b482d1dfef2966fa32ecc2cabc3fe488674258

      SHA512

      95c3fff30f403addb4bbd74e86349303d14fa7ffe78c0e511145ac56b7b498842c774ff0e3d8636f3cee9dfb8b7cf4c80ebbce991e2d572afecf3bf593afcac8

    • \Users\Public\69577.exe
      MD5

      c7b57a6ecc4533c754e1c04789e242d0

      SHA1

      c252dbd1653bbfc5bb2941b8965c9daf41e066f6

      SHA256

      8b720e30117cfb204a068bfea7b482d1dfef2966fa32ecc2cabc3fe488674258

      SHA512

      95c3fff30f403addb4bbd74e86349303d14fa7ffe78c0e511145ac56b7b498842c774ff0e3d8636f3cee9dfb8b7cf4c80ebbce991e2d572afecf3bf593afcac8

    • \Users\Public\69577.exe
      MD5

      c7b57a6ecc4533c754e1c04789e242d0

      SHA1

      c252dbd1653bbfc5bb2941b8965c9daf41e066f6

      SHA256

      8b720e30117cfb204a068bfea7b482d1dfef2966fa32ecc2cabc3fe488674258

      SHA512

      95c3fff30f403addb4bbd74e86349303d14fa7ffe78c0e511145ac56b7b498842c774ff0e3d8636f3cee9dfb8b7cf4c80ebbce991e2d572afecf3bf593afcac8

    • \Users\Public\69577.exe
      MD5

      c7b57a6ecc4533c754e1c04789e242d0

      SHA1

      c252dbd1653bbfc5bb2941b8965c9daf41e066f6

      SHA256

      8b720e30117cfb204a068bfea7b482d1dfef2966fa32ecc2cabc3fe488674258

      SHA512

      95c3fff30f403addb4bbd74e86349303d14fa7ffe78c0e511145ac56b7b498842c774ff0e3d8636f3cee9dfb8b7cf4c80ebbce991e2d572afecf3bf593afcac8

    • memory/752-43-0x000000007EF30000-0x000000007EF31000-memory.dmp
      Filesize

      4KB

    • memory/752-22-0x0000000004A10000-0x0000000004A11000-memory.dmp
      Filesize

      4KB

    • memory/752-47-0x0000000006080000-0x0000000006081000-memory.dmp
      Filesize

      4KB

    • memory/752-30-0x00000000025D0000-0x00000000025D1000-memory.dmp
      Filesize

      4KB

    • memory/752-41-0x0000000006040000-0x0000000006041000-memory.dmp
      Filesize

      4KB

    • memory/752-55-0x0000000006280000-0x0000000006281000-memory.dmp
      Filesize

      4KB

    • memory/752-18-0x0000000000000000-mapping.dmp
    • memory/752-20-0x000000006AB80000-0x000000006B26E000-memory.dmp
      Filesize

      6.9MB

    • memory/752-21-0x0000000000960000-0x0000000000961000-memory.dmp
      Filesize

      4KB

    • memory/752-48-0x0000000006180000-0x0000000006181000-memory.dmp
      Filesize

      4KB

    • memory/752-24-0x00000000049D0000-0x00000000049D1000-memory.dmp
      Filesize

      4KB

    • memory/752-25-0x00000000049D2000-0x00000000049D3000-memory.dmp
      Filesize

      4KB

    • memory/752-35-0x0000000004980000-0x0000000004981000-memory.dmp
      Filesize

      4KB

    • memory/764-36-0x0000000002630000-0x0000000002631000-memory.dmp
      Filesize

      4KB

    • memory/764-28-0x000000000046460E-mapping.dmp
    • memory/764-27-0x0000000000400000-0x000000000046A000-memory.dmp
      Filesize

      424KB

    • memory/764-32-0x0000000000400000-0x000000000046A000-memory.dmp
      Filesize

      424KB

    • memory/764-31-0x000000006AB80000-0x000000006B26E000-memory.dmp
      Filesize

      6.9MB

    • memory/944-13-0x000000006AB80000-0x000000006B26E000-memory.dmp
      Filesize

      6.9MB

    • memory/944-10-0x0000000000000000-mapping.dmp
    • memory/944-26-0x00000000004B0000-0x00000000004BF000-memory.dmp
      Filesize

      60KB

    • memory/944-23-0x0000000004DB5000-0x0000000004DC6000-memory.dmp
      Filesize

      68KB

    • memory/944-17-0x0000000004340000-0x00000000043B6000-memory.dmp
      Filesize

      472KB

    • memory/944-38-0x0000000002130000-0x0000000002131000-memory.dmp
      Filesize

      4KB

    • memory/944-16-0x0000000004DB0000-0x0000000004DB1000-memory.dmp
      Filesize

      4KB

    • memory/944-14-0x00000000002F0000-0x00000000002F1000-memory.dmp
      Filesize

      4KB

    • memory/944-34-0x0000000004DC6000-0x0000000004DC7000-memory.dmp
      Filesize

      4KB

    • memory/1412-6-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmp
      Filesize

      8KB

    • memory/1412-5-0x0000000000000000-mapping.dmp
    • memory/1700-8-0x000007FEF5D50000-0x000007FEF5FCA000-memory.dmp
      Filesize

      2.5MB

    • memory/1832-2-0x00000000721D1000-0x00000000721D4000-memory.dmp
      Filesize

      12KB

    • memory/1832-4-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

    • memory/1832-3-0x000000006FC51000-0x000000006FC53000-memory.dmp
      Filesize

      8KB

    • memory/1872-7-0x0000000075DE1000-0x0000000075DE3000-memory.dmp
      Filesize

      8KB

    • memory/2020-56-0x0000000000000000-mapping.dmp
    • memory/2020-57-0x0000000001EC0000-0x0000000001ED1000-memory.dmp
      Filesize

      68KB

    • memory/2020-65-0x0000000000440000-0x0000000000441000-memory.dmp
      Filesize

      4KB