Analysis
-
max time kernel
123s -
max time network
122s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
19-04-2021 10:52
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order From Hanon systems Ltd.doc.rtf
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Purchase Order From Hanon systems Ltd.doc.rtf
Resource
win10v20210410
General
-
Target
Purchase Order From Hanon systems Ltd.doc.rtf
-
Size
1.2MB
-
MD5
d9a7f66522882d74a20738f1c3d2681f
-
SHA1
b5a13dea22b2da04d1147c292f1f8d8ac39d777d
-
SHA256
777f7cc25c596f6617f5750b2ef83ab0c5b439fac67153224290e83aceca9214
-
SHA512
74f5ea5ee011c243fed3d94f15382e51e09705ac890767e11954978e5b81d56c2f9d233fb59052d2828516dd50e919355a51af134179ad392bb14f6c43eac916
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
nobettwo.xyz - Port:
587 - Username:
[email protected] - Password:
O^1)7]oEv=*a
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
69577.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\.notepad.exe\"," 69577.exe -
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1896-75-0x0000000000400000-0x000000000046A000-memory.dmp family_snakekeylogger behavioral1/memory/1896-76-0x000000000046475E-mapping.dmp family_snakekeylogger behavioral1/memory/1896-79-0x0000000000400000-0x000000000046A000-memory.dmp family_snakekeylogger -
Blocklisted process makes network request 2 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1692 EQNEDT32.EXE 9 1692 EQNEDT32.EXE -
Executes dropped EXE 2 IoCs
Processes:
69577.exe69577.exepid process 1208 69577.exe 1896 69577.exe -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXE69577.exepid process 1692 EQNEDT32.EXE 1208 69577.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 checkip.dyndns.org 17 freegeoip.app 18 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
69577.exedescription pid process target process PID 1208 set thread context of 1896 1208 69577.exe 69577.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1240 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
69577.exe69577.exepid process 1208 69577.exe 1208 69577.exe 1896 69577.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
69577.exe69577.exedescription pid process Token: SeDebugPrivilege 1208 69577.exe Token: SeDebugPrivilege 1896 69577.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1240 WINWORD.EXE 1240 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
WINWORD.EXEEQNEDT32.EXE69577.exedescription pid process target process PID 1240 wrote to memory of 1136 1240 WINWORD.EXE splwow64.exe PID 1240 wrote to memory of 1136 1240 WINWORD.EXE splwow64.exe PID 1240 wrote to memory of 1136 1240 WINWORD.EXE splwow64.exe PID 1240 wrote to memory of 1136 1240 WINWORD.EXE splwow64.exe PID 1692 wrote to memory of 1208 1692 EQNEDT32.EXE 69577.exe PID 1692 wrote to memory of 1208 1692 EQNEDT32.EXE 69577.exe PID 1692 wrote to memory of 1208 1692 EQNEDT32.EXE 69577.exe PID 1692 wrote to memory of 1208 1692 EQNEDT32.EXE 69577.exe PID 1208 wrote to memory of 1896 1208 69577.exe 69577.exe PID 1208 wrote to memory of 1896 1208 69577.exe 69577.exe PID 1208 wrote to memory of 1896 1208 69577.exe 69577.exe PID 1208 wrote to memory of 1896 1208 69577.exe 69577.exe PID 1208 wrote to memory of 1896 1208 69577.exe 69577.exe PID 1208 wrote to memory of 1896 1208 69577.exe 69577.exe PID 1208 wrote to memory of 1896 1208 69577.exe 69577.exe PID 1208 wrote to memory of 1896 1208 69577.exe 69577.exe PID 1208 wrote to memory of 1896 1208 69577.exe 69577.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Purchase Order From Hanon systems Ltd.doc.rtf"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\69577.exe"C:\Users\Public\69577.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\69577.exeC:\Users\Admin\AppData\Local\Temp\69577.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\69577.exeMD5
a4326b69873c799207e4c9d30c2ed3ac
SHA1ee9d604c54a4450a6bfa071a2f23aaae5114e680
SHA2560299ed3db28516997c3a162def5ee464a25485241b4eb8cf2a0d3f21fd498f72
SHA512f26a406e6b7de5e93c70024fb6642140598eebba38ebc79a3f81219a68a29dbec06f67b716faffc67be0a0f6c3378ca9218f9edbd8e74374d2e0e8ef096d6330
-
C:\Users\Admin\AppData\Local\Temp\69577.exeMD5
a4326b69873c799207e4c9d30c2ed3ac
SHA1ee9d604c54a4450a6bfa071a2f23aaae5114e680
SHA2560299ed3db28516997c3a162def5ee464a25485241b4eb8cf2a0d3f21fd498f72
SHA512f26a406e6b7de5e93c70024fb6642140598eebba38ebc79a3f81219a68a29dbec06f67b716faffc67be0a0f6c3378ca9218f9edbd8e74374d2e0e8ef096d6330
-
C:\Users\Public\69577.exeMD5
a4326b69873c799207e4c9d30c2ed3ac
SHA1ee9d604c54a4450a6bfa071a2f23aaae5114e680
SHA2560299ed3db28516997c3a162def5ee464a25485241b4eb8cf2a0d3f21fd498f72
SHA512f26a406e6b7de5e93c70024fb6642140598eebba38ebc79a3f81219a68a29dbec06f67b716faffc67be0a0f6c3378ca9218f9edbd8e74374d2e0e8ef096d6330
-
C:\Users\Public\69577.exeMD5
a4326b69873c799207e4c9d30c2ed3ac
SHA1ee9d604c54a4450a6bfa071a2f23aaae5114e680
SHA2560299ed3db28516997c3a162def5ee464a25485241b4eb8cf2a0d3f21fd498f72
SHA512f26a406e6b7de5e93c70024fb6642140598eebba38ebc79a3f81219a68a29dbec06f67b716faffc67be0a0f6c3378ca9218f9edbd8e74374d2e0e8ef096d6330
-
\Users\Admin\AppData\Local\Temp\69577.exeMD5
a4326b69873c799207e4c9d30c2ed3ac
SHA1ee9d604c54a4450a6bfa071a2f23aaae5114e680
SHA2560299ed3db28516997c3a162def5ee464a25485241b4eb8cf2a0d3f21fd498f72
SHA512f26a406e6b7de5e93c70024fb6642140598eebba38ebc79a3f81219a68a29dbec06f67b716faffc67be0a0f6c3378ca9218f9edbd8e74374d2e0e8ef096d6330
-
\Users\Public\69577.exeMD5
a4326b69873c799207e4c9d30c2ed3ac
SHA1ee9d604c54a4450a6bfa071a2f23aaae5114e680
SHA2560299ed3db28516997c3a162def5ee464a25485241b4eb8cf2a0d3f21fd498f72
SHA512f26a406e6b7de5e93c70024fb6642140598eebba38ebc79a3f81219a68a29dbec06f67b716faffc67be0a0f6c3378ca9218f9edbd8e74374d2e0e8ef096d6330
-
memory/1136-63-0x000007FEFB591000-0x000007FEFB593000-memory.dmpFilesize
8KB
-
memory/1136-62-0x0000000000000000-mapping.dmp
-
memory/1208-66-0x0000000000000000-mapping.dmp
-
memory/1208-69-0x0000000000C70000-0x0000000000C71000-memory.dmpFilesize
4KB
-
memory/1208-71-0x0000000000500000-0x0000000000501000-memory.dmpFilesize
4KB
-
memory/1208-72-0x0000000000230000-0x0000000000232000-memory.dmpFilesize
8KB
-
memory/1208-73-0x00000000021A0000-0x00000000021E2000-memory.dmpFilesize
264KB
-
memory/1240-59-0x0000000072141000-0x0000000072144000-memory.dmpFilesize
12KB
-
memory/1240-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1240-82-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1240-60-0x000000006FBC1000-0x000000006FBC3000-memory.dmpFilesize
8KB
-
memory/1692-64-0x00000000752B1000-0x00000000752B3000-memory.dmpFilesize
8KB
-
memory/1896-76-0x000000000046475E-mapping.dmp
-
memory/1896-79-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1896-81-0x0000000004900000-0x0000000004901000-memory.dmpFilesize
4KB
-
memory/1896-75-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB