snakekeylogger | 777f7cc25c596f6617f5750b2ef83ab0c5b439fac67153224290e83aceca9214

General

Target

Purchase Order From Hanon systems Ltd.doc.rtf
Size

1.2MB
MD5

d9a7f66522882d74a20738f1c3d2681f
SHA1

b5a13dea22b2da04d1147c292f1f8d8ac39d777d
SHA256

777f7cc25c596f6617f5750b2ef83ab0c5b439fac67153224290e83aceca9214
SHA512

74f5ea5ee011c243fed3d94f15382e51e09705ac890767e11954978e5b81d56c2f9d233fb59052d2828516dd50e919355a51af134179ad392bb14f6c43eac916

Score

10^/10

snakekeylogger keylogger persistence stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
nobettwo.xyz
Port:
587
Username:
[email protected]
Password:
O^1)7]oEv=*a

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

69577.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\.notepad.exe\","	69577.exe

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1896-75-0x0000000000400000-0x000000000046A000-memory.dmp	family_snakekeylogger
behavioral1/memory/1896-76-0x000000000046475E-mapping.dmp	family_snakekeylogger
behavioral1/memory/1896-79-0x0000000000400000-0x000000000046A000-memory.dmp	family_snakekeylogger

Blocklisted process makes network request 2 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1692 EQNEDT32.EXE
9 1692 EQNEDT32.EXE
Executes dropped EXE 2 IoCs

Processes:

69577.exe69577.exe

pid process

1208 69577.exe
1896 69577.exe
Loads dropped DLL 2 IoCs

Processes:

EQNEDT32.EXE69577.exe

pid process

1692 EQNEDT32.EXE
1208 69577.exe
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 checkip.dyndns.org
17 freegeoip.app
18 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

69577.exe

description pid process target process

PID 1208 set thread context of 1896 1208 69577.exe 69577.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1692 EQNEDT32.EXE

flow	pid	process
7	1692	EQNEDT32.EXE
9	1692	EQNEDT32.EXE

pid	process
1208	69577.exe
1896	69577.exe

pid	process
1692	EQNEDT32.EXE
1208	69577.exe

flow	ioc
14	checkip.dyndns.org
17	freegeoip.app
18	freegeoip.app

description	pid	process	target process
PID 1208 set thread context of 1896	1208	69577.exe	69577.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1692	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1240 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

69577.exe69577.exe

pid process

1208 69577.exe
1208 69577.exe
1896 69577.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

69577.exe69577.exe

description pid process

Token: SeDebugPrivilege 1208 69577.exe
Token: SeDebugPrivilege 1896 69577.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1240 WINWORD.EXE
1240 WINWORD.EXE

pid	process
1240	WINWORD.EXE

pid	process
1208	69577.exe
1208	69577.exe
1896	69577.exe

description	pid	process
Token: SeDebugPrivilege	1208	69577.exe
Token: SeDebugPrivilege	1896	69577.exe

pid	process
1240	WINWORD.EXE
1240	WINWORD.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

WINWORD.EXEEQNEDT32.EXE69577.exe

description	pid	process	target process
PID 1240 wrote to memory of 1136	1240	WINWORD.EXE	splwow64.exe
PID 1240 wrote to memory of 1136	1240	WINWORD.EXE	splwow64.exe
PID 1240 wrote to memory of 1136	1240	WINWORD.EXE	splwow64.exe
PID 1240 wrote to memory of 1136	1240	WINWORD.EXE	splwow64.exe
PID 1692 wrote to memory of 1208	1692	EQNEDT32.EXE	69577.exe
PID 1692 wrote to memory of 1208	1692	EQNEDT32.EXE	69577.exe
PID 1692 wrote to memory of 1208	1692	EQNEDT32.EXE	69577.exe
PID 1692 wrote to memory of 1208	1692	EQNEDT32.EXE	69577.exe
PID 1208 wrote to memory of 1896	1208	69577.exe	69577.exe
PID 1208 wrote to memory of 1896	1208	69577.exe	69577.exe
PID 1208 wrote to memory of 1896	1208	69577.exe	69577.exe
PID 1208 wrote to memory of 1896	1208	69577.exe	69577.exe
PID 1208 wrote to memory of 1896	1208	69577.exe	69577.exe
PID 1208 wrote to memory of 1896	1208	69577.exe	69577.exe
PID 1208 wrote to memory of 1896	1208	69577.exe	69577.exe
PID 1208 wrote to memory of 1896	1208	69577.exe	69577.exe
PID 1208 wrote to memory of 1896	1208	69577.exe	69577.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Purchase Order From Hanon systems Ltd.doc.rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1136

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Public\69577.exe
"C:\Users\Public\69577.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\69577.exe
C:\Users\Admin\AppData\Local\Temp\69577.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\69577.exe
MD5
a4326b69873c799207e4c9d30c2ed3ac

SHA1
ee9d604c54a4450a6bfa071a2f23aaae5114e680

SHA256
0299ed3db28516997c3a162def5ee464a25485241b4eb8cf2a0d3f21fd498f72

SHA512
f26a406e6b7de5e93c70024fb6642140598eebba38ebc79a3f81219a68a29dbec06f67b716faffc67be0a0f6c3378ca9218f9edbd8e74374d2e0e8ef096d6330

Download Submit
C:\Users\Admin\AppData\Local\Temp\69577.exe
MD5
a4326b69873c799207e4c9d30c2ed3ac

SHA1
ee9d604c54a4450a6bfa071a2f23aaae5114e680

SHA256
0299ed3db28516997c3a162def5ee464a25485241b4eb8cf2a0d3f21fd498f72

SHA512
f26a406e6b7de5e93c70024fb6642140598eebba38ebc79a3f81219a68a29dbec06f67b716faffc67be0a0f6c3378ca9218f9edbd8e74374d2e0e8ef096d6330

Download Submit
C:\Users\Public\69577.exe
MD5
a4326b69873c799207e4c9d30c2ed3ac

SHA1
ee9d604c54a4450a6bfa071a2f23aaae5114e680

SHA256
0299ed3db28516997c3a162def5ee464a25485241b4eb8cf2a0d3f21fd498f72

SHA512
f26a406e6b7de5e93c70024fb6642140598eebba38ebc79a3f81219a68a29dbec06f67b716faffc67be0a0f6c3378ca9218f9edbd8e74374d2e0e8ef096d6330

Download Submit
C:\Users\Public\69577.exe
MD5
a4326b69873c799207e4c9d30c2ed3ac

SHA1
ee9d604c54a4450a6bfa071a2f23aaae5114e680

SHA256
0299ed3db28516997c3a162def5ee464a25485241b4eb8cf2a0d3f21fd498f72

SHA512
f26a406e6b7de5e93c70024fb6642140598eebba38ebc79a3f81219a68a29dbec06f67b716faffc67be0a0f6c3378ca9218f9edbd8e74374d2e0e8ef096d6330

Download Submit
\Users\Admin\AppData\Local\Temp\69577.exe
MD5
a4326b69873c799207e4c9d30c2ed3ac

SHA1
ee9d604c54a4450a6bfa071a2f23aaae5114e680

SHA256
0299ed3db28516997c3a162def5ee464a25485241b4eb8cf2a0d3f21fd498f72

SHA512
f26a406e6b7de5e93c70024fb6642140598eebba38ebc79a3f81219a68a29dbec06f67b716faffc67be0a0f6c3378ca9218f9edbd8e74374d2e0e8ef096d6330

Download Submit
\Users\Public\69577.exe
MD5
a4326b69873c799207e4c9d30c2ed3ac

SHA1
ee9d604c54a4450a6bfa071a2f23aaae5114e680

SHA256
0299ed3db28516997c3a162def5ee464a25485241b4eb8cf2a0d3f21fd498f72

SHA512
f26a406e6b7de5e93c70024fb6642140598eebba38ebc79a3f81219a68a29dbec06f67b716faffc67be0a0f6c3378ca9218f9edbd8e74374d2e0e8ef096d6330

Download Submit
memory/1136-63-0x000007FEFB591000-0x000007FEFB593000-memory.dmp

Filesize
8KB

Download
memory/1136-62-0x0000000000000000-mapping.dmp

Download
memory/1208-66-0x0000000000000000-mapping.dmp

Download
memory/1208-69-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/1208-71-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/1208-72-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/1208-73-0x00000000021A0000-0x00000000021E2000-memory.dmp

Filesize
264KB

Download
memory/1240-59-0x0000000072141000-0x0000000072144000-memory.dmp

Filesize
12KB

Download
memory/1240-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1240-82-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1240-60-0x000000006FBC1000-0x000000006FBC3000-memory.dmp

Filesize
8KB

Download
memory/1692-64-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1896-76-0x000000000046475E-mapping.dmp

Download
memory/1896-79-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1896-81-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/1896-75-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads