Analysis
-
max time kernel
123s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
22-07-2021 04:49
Static task
static1
Behavioral task
behavioral1
Sample
ATTACHMENTS.xlsx
Resource
win7v20210410
Behavioral task
behavioral2
Sample
ATTACHMENTS.xlsx
Resource
win10v20210408
General
-
Target
ATTACHMENTS.xlsx
-
Size
713KB
-
MD5
c24c99e3c4a213b7356d63e5646d4457
-
SHA1
7edbbb43143714139acdc66057b4fa884c8fdb07
-
SHA256
dc0a3e25871596a368e26566d77da6de8c0a4edb43750fe617bb5036758f0ae7
-
SHA512
e220612c7d9701c9397d8d69c86ed492e11f3d2b7b43169a59245bd38a92d25c779d71f872d0e7abe2906e6df69cc8629c2a8447d3534a89afe6a65b0d1a1624
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
)||LHNUQ5wgcszg
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 1012 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
ABM.exeABM.exepid process 1056 ABM.exe 1532 ABM.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1012 EQNEDT32.EXE -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 checkip.dyndns.org 10 freegeoip.app 11 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ABM.exedescription pid process target process PID 1056 set thread context of 1532 1056 ABM.exe ABM.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1640 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
ABM.exepid process 1532 ABM.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ABM.exedescription pid process Token: SeDebugPrivilege 1532 ABM.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
EXCEL.EXEABM.exepid process 1640 EXCEL.EXE 1640 EXCEL.EXE 1640 EXCEL.EXE 1532 ABM.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
EQNEDT32.EXEEXCEL.EXEABM.exedescription pid process target process PID 1012 wrote to memory of 1056 1012 EQNEDT32.EXE ABM.exe PID 1012 wrote to memory of 1056 1012 EQNEDT32.EXE ABM.exe PID 1012 wrote to memory of 1056 1012 EQNEDT32.EXE ABM.exe PID 1012 wrote to memory of 1056 1012 EQNEDT32.EXE ABM.exe PID 1640 wrote to memory of 568 1640 EXCEL.EXE splwow64.exe PID 1640 wrote to memory of 568 1640 EXCEL.EXE splwow64.exe PID 1640 wrote to memory of 568 1640 EXCEL.EXE splwow64.exe PID 1640 wrote to memory of 568 1640 EXCEL.EXE splwow64.exe PID 1056 wrote to memory of 1532 1056 ABM.exe ABM.exe PID 1056 wrote to memory of 1532 1056 ABM.exe ABM.exe PID 1056 wrote to memory of 1532 1056 ABM.exe ABM.exe PID 1056 wrote to memory of 1532 1056 ABM.exe ABM.exe PID 1056 wrote to memory of 1532 1056 ABM.exe ABM.exe PID 1056 wrote to memory of 1532 1056 ABM.exe ABM.exe PID 1056 wrote to memory of 1532 1056 ABM.exe ABM.exe PID 1056 wrote to memory of 1532 1056 ABM.exe ABM.exe PID 1056 wrote to memory of 1532 1056 ABM.exe ABM.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\ATTACHMENTS.xlsx1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ABM.exe"C:\Users\Admin\AppData\Roaming\ABM.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ABM.exe"{path}"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ABM.exeMD5
861d4c30488d52de306745a26c1632b5
SHA13556239b01334c0075772f3a30d86c15a9ba6b99
SHA256873297f71853c2a64de00af2cd2073178b4e1261d3f0cbefd6648bea21d7fbd3
SHA512e6d8264e5305989ed48a5600f1e9cd2a1ffe230626a69b07bbaff8003485e3f867b2ceeabcf435201c517d9ea9b4cd60959036570257c4e4d9acb3e4a69cbe80
-
C:\Users\Admin\AppData\Roaming\ABM.exeMD5
861d4c30488d52de306745a26c1632b5
SHA13556239b01334c0075772f3a30d86c15a9ba6b99
SHA256873297f71853c2a64de00af2cd2073178b4e1261d3f0cbefd6648bea21d7fbd3
SHA512e6d8264e5305989ed48a5600f1e9cd2a1ffe230626a69b07bbaff8003485e3f867b2ceeabcf435201c517d9ea9b4cd60959036570257c4e4d9acb3e4a69cbe80
-
C:\Users\Admin\AppData\Roaming\ABM.exeMD5
861d4c30488d52de306745a26c1632b5
SHA13556239b01334c0075772f3a30d86c15a9ba6b99
SHA256873297f71853c2a64de00af2cd2073178b4e1261d3f0cbefd6648bea21d7fbd3
SHA512e6d8264e5305989ed48a5600f1e9cd2a1ffe230626a69b07bbaff8003485e3f867b2ceeabcf435201c517d9ea9b4cd60959036570257c4e4d9acb3e4a69cbe80
-
\Users\Admin\AppData\Roaming\ABM.exeMD5
861d4c30488d52de306745a26c1632b5
SHA13556239b01334c0075772f3a30d86c15a9ba6b99
SHA256873297f71853c2a64de00af2cd2073178b4e1261d3f0cbefd6648bea21d7fbd3
SHA512e6d8264e5305989ed48a5600f1e9cd2a1ffe230626a69b07bbaff8003485e3f867b2ceeabcf435201c517d9ea9b4cd60959036570257c4e4d9acb3e4a69cbe80
-
memory/568-68-0x0000000000000000-mapping.dmp
-
memory/568-70-0x000007FEFB881000-0x000007FEFB883000-memory.dmpFilesize
8KB
-
memory/1012-63-0x0000000075631000-0x0000000075633000-memory.dmpFilesize
8KB
-
memory/1056-65-0x0000000000000000-mapping.dmp
-
memory/1056-71-0x0000000000560000-0x0000000000561000-memory.dmpFilesize
4KB
-
memory/1056-72-0x0000000000561000-0x0000000000562000-memory.dmpFilesize
4KB
-
memory/1532-73-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/1532-74-0x000000000044320E-mapping.dmp
-
memory/1532-77-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/1640-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1640-60-0x000000002F441000-0x000000002F444000-memory.dmpFilesize
12KB
-
memory/1640-61-0x0000000071081000-0x0000000071083000-memory.dmpFilesize
8KB
-
memory/1640-78-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB