Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
22-01-2021 07:09
Static task
static1
Behavioral task
behavioral1
Sample
RFQSDCL1005C1N5STDFM01.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
RFQSDCL1005C1N5STDFM01.doc
Resource
win10v20201028
General
-
Target
RFQSDCL1005C1N5STDFM01.doc
-
Size
991KB
-
MD5
09d4af0b227dc3974954cc05f28bf8bc
-
SHA1
473e5ddb68275afba681213c7293219f93c8a7d4
-
SHA256
7fe770f2a75d693076b3f2c81baa8bf27ba82d84b287bb5df381cc214b95eb6b
-
SHA512
8d1a0be85fb32f53975d9aabf4510690aa4561eb81aa558e2404211595ba7288bdb5798d8389d3c3fd77fe4ba7d65c999f3b92f01626a9e18d6d9d91ca976689
Malware Config
Extracted
Protocol: smtp- Host:
mail.tavmachine.com - Port:
587 - Username:
m.michy@tavmachine.com - Password:
G{y7.W#Ni!-A
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/764-28-0x000000000046460E-mapping.dmp family_snakekeylogger behavioral1/memory/764-27-0x0000000000400000-0x000000000046A000-memory.dmp family_snakekeylogger behavioral1/memory/764-32-0x0000000000400000-0x000000000046A000-memory.dmp family_snakekeylogger -
Blocklisted process makes network request 2 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1872 EQNEDT32.EXE 8 1872 EQNEDT32.EXE -
Executes dropped EXE 1 IoCs
Processes:
69577.exepid process 944 69577.exe -
Drops startup file 2 IoCs
Processes:
Powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Powershell.exe -
Loads dropped DLL 6 IoCs
Processes:
EQNEDT32.EXEWerFault.exepid process 1872 EQNEDT32.EXE 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 checkip.dyndns.org 12 freegeoip.app 13 freegeoip.app -
Drops file in System32 directory 1 IoCs
Processes:
Powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk Powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
69577.exedescription pid process target process PID 944 set thread context of 764 944 69577.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2020 944 WerFault.exe 69577.exe -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1832 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
Powershell.exeRegAsm.exeWerFault.exepid process 752 Powershell.exe 764 RegAsm.exe 752 Powershell.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Powershell.exeRegAsm.exeWerFault.exedescription pid process Token: SeDebugPrivilege 752 Powershell.exe Token: SeDebugPrivilege 764 RegAsm.exe Token: SeDebugPrivilege 2020 WerFault.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1832 WINWORD.EXE 1832 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
WINWORD.EXEEQNEDT32.EXE69577.exedescription pid process target process PID 1832 wrote to memory of 1412 1832 WINWORD.EXE splwow64.exe PID 1832 wrote to memory of 1412 1832 WINWORD.EXE splwow64.exe PID 1832 wrote to memory of 1412 1832 WINWORD.EXE splwow64.exe PID 1832 wrote to memory of 1412 1832 WINWORD.EXE splwow64.exe PID 1872 wrote to memory of 944 1872 EQNEDT32.EXE 69577.exe PID 1872 wrote to memory of 944 1872 EQNEDT32.EXE 69577.exe PID 1872 wrote to memory of 944 1872 EQNEDT32.EXE 69577.exe PID 1872 wrote to memory of 944 1872 EQNEDT32.EXE 69577.exe PID 944 wrote to memory of 752 944 69577.exe Powershell.exe PID 944 wrote to memory of 752 944 69577.exe Powershell.exe PID 944 wrote to memory of 752 944 69577.exe Powershell.exe PID 944 wrote to memory of 752 944 69577.exe Powershell.exe PID 944 wrote to memory of 764 944 69577.exe RegAsm.exe PID 944 wrote to memory of 764 944 69577.exe RegAsm.exe PID 944 wrote to memory of 764 944 69577.exe RegAsm.exe PID 944 wrote to memory of 764 944 69577.exe RegAsm.exe PID 944 wrote to memory of 764 944 69577.exe RegAsm.exe PID 944 wrote to memory of 764 944 69577.exe RegAsm.exe PID 944 wrote to memory of 764 944 69577.exe RegAsm.exe PID 944 wrote to memory of 764 944 69577.exe RegAsm.exe PID 944 wrote to memory of 764 944 69577.exe RegAsm.exe PID 944 wrote to memory of 764 944 69577.exe RegAsm.exe PID 944 wrote to memory of 764 944 69577.exe RegAsm.exe PID 944 wrote to memory of 764 944 69577.exe RegAsm.exe PID 944 wrote to memory of 2020 944 69577.exe WerFault.exe PID 944 wrote to memory of 2020 944 69577.exe WerFault.exe PID 944 wrote to memory of 2020 944 69577.exe WerFault.exe PID 944 wrote to memory of 2020 944 69577.exe WerFault.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RFQSDCL1005C1N5STDFM01.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\69577.exe"C:\Users\Public\69577.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Public\69577.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'3⤵
- Drops startup file
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 11323⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\5DFWELRG.txtMD5
fd0b2c83393d3b8c4a9455197dc6580f
SHA120044164d120e02d8e9694b405113585d8bb5e27
SHA256e6c19d92d0bdc2b3199159ea62cd9b672ffca19e9b42768af1c8aed5564ffbc2
SHA512e4fe315f87d5541de098b0e011609960c3bca05e2b1c3d4aad07572763212c7f8999e2a46094ffb11da962ad0a67988a11de9c1bc8d81bd8fc0a2cf0adb31031
-
C:\Users\Public\69577.exeMD5
c7b57a6ecc4533c754e1c04789e242d0
SHA1c252dbd1653bbfc5bb2941b8965c9daf41e066f6
SHA2568b720e30117cfb204a068bfea7b482d1dfef2966fa32ecc2cabc3fe488674258
SHA51295c3fff30f403addb4bbd74e86349303d14fa7ffe78c0e511145ac56b7b498842c774ff0e3d8636f3cee9dfb8b7cf4c80ebbce991e2d572afecf3bf593afcac8
-
C:\Users\Public\69577.exeMD5
c7b57a6ecc4533c754e1c04789e242d0
SHA1c252dbd1653bbfc5bb2941b8965c9daf41e066f6
SHA2568b720e30117cfb204a068bfea7b482d1dfef2966fa32ecc2cabc3fe488674258
SHA51295c3fff30f403addb4bbd74e86349303d14fa7ffe78c0e511145ac56b7b498842c774ff0e3d8636f3cee9dfb8b7cf4c80ebbce991e2d572afecf3bf593afcac8
-
\Users\Public\69577.exeMD5
c7b57a6ecc4533c754e1c04789e242d0
SHA1c252dbd1653bbfc5bb2941b8965c9daf41e066f6
SHA2568b720e30117cfb204a068bfea7b482d1dfef2966fa32ecc2cabc3fe488674258
SHA51295c3fff30f403addb4bbd74e86349303d14fa7ffe78c0e511145ac56b7b498842c774ff0e3d8636f3cee9dfb8b7cf4c80ebbce991e2d572afecf3bf593afcac8
-
\Users\Public\69577.exeMD5
c7b57a6ecc4533c754e1c04789e242d0
SHA1c252dbd1653bbfc5bb2941b8965c9daf41e066f6
SHA2568b720e30117cfb204a068bfea7b482d1dfef2966fa32ecc2cabc3fe488674258
SHA51295c3fff30f403addb4bbd74e86349303d14fa7ffe78c0e511145ac56b7b498842c774ff0e3d8636f3cee9dfb8b7cf4c80ebbce991e2d572afecf3bf593afcac8
-
\Users\Public\69577.exeMD5
c7b57a6ecc4533c754e1c04789e242d0
SHA1c252dbd1653bbfc5bb2941b8965c9daf41e066f6
SHA2568b720e30117cfb204a068bfea7b482d1dfef2966fa32ecc2cabc3fe488674258
SHA51295c3fff30f403addb4bbd74e86349303d14fa7ffe78c0e511145ac56b7b498842c774ff0e3d8636f3cee9dfb8b7cf4c80ebbce991e2d572afecf3bf593afcac8
-
\Users\Public\69577.exeMD5
c7b57a6ecc4533c754e1c04789e242d0
SHA1c252dbd1653bbfc5bb2941b8965c9daf41e066f6
SHA2568b720e30117cfb204a068bfea7b482d1dfef2966fa32ecc2cabc3fe488674258
SHA51295c3fff30f403addb4bbd74e86349303d14fa7ffe78c0e511145ac56b7b498842c774ff0e3d8636f3cee9dfb8b7cf4c80ebbce991e2d572afecf3bf593afcac8
-
\Users\Public\69577.exeMD5
c7b57a6ecc4533c754e1c04789e242d0
SHA1c252dbd1653bbfc5bb2941b8965c9daf41e066f6
SHA2568b720e30117cfb204a068bfea7b482d1dfef2966fa32ecc2cabc3fe488674258
SHA51295c3fff30f403addb4bbd74e86349303d14fa7ffe78c0e511145ac56b7b498842c774ff0e3d8636f3cee9dfb8b7cf4c80ebbce991e2d572afecf3bf593afcac8
-
\Users\Public\69577.exeMD5
c7b57a6ecc4533c754e1c04789e242d0
SHA1c252dbd1653bbfc5bb2941b8965c9daf41e066f6
SHA2568b720e30117cfb204a068bfea7b482d1dfef2966fa32ecc2cabc3fe488674258
SHA51295c3fff30f403addb4bbd74e86349303d14fa7ffe78c0e511145ac56b7b498842c774ff0e3d8636f3cee9dfb8b7cf4c80ebbce991e2d572afecf3bf593afcac8
-
memory/752-43-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/752-22-0x0000000004A10000-0x0000000004A11000-memory.dmpFilesize
4KB
-
memory/752-47-0x0000000006080000-0x0000000006081000-memory.dmpFilesize
4KB
-
memory/752-30-0x00000000025D0000-0x00000000025D1000-memory.dmpFilesize
4KB
-
memory/752-41-0x0000000006040000-0x0000000006041000-memory.dmpFilesize
4KB
-
memory/752-55-0x0000000006280000-0x0000000006281000-memory.dmpFilesize
4KB
-
memory/752-18-0x0000000000000000-mapping.dmp
-
memory/752-20-0x000000006AB80000-0x000000006B26E000-memory.dmpFilesize
6.9MB
-
memory/752-21-0x0000000000960000-0x0000000000961000-memory.dmpFilesize
4KB
-
memory/752-48-0x0000000006180000-0x0000000006181000-memory.dmpFilesize
4KB
-
memory/752-24-0x00000000049D0000-0x00000000049D1000-memory.dmpFilesize
4KB
-
memory/752-25-0x00000000049D2000-0x00000000049D3000-memory.dmpFilesize
4KB
-
memory/752-35-0x0000000004980000-0x0000000004981000-memory.dmpFilesize
4KB
-
memory/764-36-0x0000000002630000-0x0000000002631000-memory.dmpFilesize
4KB
-
memory/764-28-0x000000000046460E-mapping.dmp
-
memory/764-27-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/764-32-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/764-31-0x000000006AB80000-0x000000006B26E000-memory.dmpFilesize
6.9MB
-
memory/944-13-0x000000006AB80000-0x000000006B26E000-memory.dmpFilesize
6.9MB
-
memory/944-10-0x0000000000000000-mapping.dmp
-
memory/944-26-0x00000000004B0000-0x00000000004BF000-memory.dmpFilesize
60KB
-
memory/944-23-0x0000000004DB5000-0x0000000004DC6000-memory.dmpFilesize
68KB
-
memory/944-17-0x0000000004340000-0x00000000043B6000-memory.dmpFilesize
472KB
-
memory/944-38-0x0000000002130000-0x0000000002131000-memory.dmpFilesize
4KB
-
memory/944-16-0x0000000004DB0000-0x0000000004DB1000-memory.dmpFilesize
4KB
-
memory/944-14-0x00000000002F0000-0x00000000002F1000-memory.dmpFilesize
4KB
-
memory/944-34-0x0000000004DC6000-0x0000000004DC7000-memory.dmpFilesize
4KB
-
memory/1412-6-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmpFilesize
8KB
-
memory/1412-5-0x0000000000000000-mapping.dmp
-
memory/1700-8-0x000007FEF5D50000-0x000007FEF5FCA000-memory.dmpFilesize
2.5MB
-
memory/1832-2-0x00000000721D1000-0x00000000721D4000-memory.dmpFilesize
12KB
-
memory/1832-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1832-3-0x000000006FC51000-0x000000006FC53000-memory.dmpFilesize
8KB
-
memory/1872-7-0x0000000075DE1000-0x0000000075DE3000-memory.dmpFilesize
8KB
-
memory/2020-56-0x0000000000000000-mapping.dmp
-
memory/2020-57-0x0000000001EC0000-0x0000000001ED1000-memory.dmpFilesize
68KB
-
memory/2020-65-0x0000000000440000-0x0000000000441000-memory.dmpFilesize
4KB