Analysis
-
max time kernel
101s -
max time network
124s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
27-07-2021 09:04
Static task
static1
Behavioral task
behavioral1
Sample
UPDATED SOA.xlsx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
UPDATED SOA.xlsx
Resource
win10v20210410
General
-
Target
UPDATED SOA.xlsx
-
Size
705KB
-
MD5
b1403a9cdf7a6c5ec38bc61a8881be15
-
SHA1
effc46e294614dc6aadc226adbc08b1bca2c141c
-
SHA256
ac377dab041224657325256e5549adf0243175a11b4679386bfc28b8ad9d232d
-
SHA512
a2c6127624f1ca9880cce10c222d956f04894e4a724693f69ac788d3471f8cd01522f6a17b89c79f921b83cf0d722ab7a04841f816fca4ad955122627f5d220f
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
nnamdi@keithwilliamgroup.com - Password:
)||LHNUQ5wgcszg
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 600 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
CLM.exeCLM.exepid process 1432 CLM.exe 1688 CLM.exe -
Loads dropped DLL 5 IoCs
Processes:
EQNEDT32.EXEdw20.exepid process 600 EQNEDT32.EXE 600 EQNEDT32.EXE 2004 dw20.exe 2004 dw20.exe 2004 dw20.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
CLM.exedescription pid process target process PID 1432 set thread context of 1688 1432 CLM.exe CLM.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 736 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
CLM.exepid process 1688 CLM.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
CLM.exedescription pid process Token: SeDebugPrivilege 1688 CLM.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 736 EXCEL.EXE 736 EXCEL.EXE 736 EXCEL.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
EQNEDT32.EXEEXCEL.EXECLM.exeCLM.exedescription pid process target process PID 600 wrote to memory of 1432 600 EQNEDT32.EXE CLM.exe PID 600 wrote to memory of 1432 600 EQNEDT32.EXE CLM.exe PID 600 wrote to memory of 1432 600 EQNEDT32.EXE CLM.exe PID 600 wrote to memory of 1432 600 EQNEDT32.EXE CLM.exe PID 736 wrote to memory of 1692 736 EXCEL.EXE splwow64.exe PID 736 wrote to memory of 1692 736 EXCEL.EXE splwow64.exe PID 736 wrote to memory of 1692 736 EXCEL.EXE splwow64.exe PID 736 wrote to memory of 1692 736 EXCEL.EXE splwow64.exe PID 1432 wrote to memory of 1688 1432 CLM.exe CLM.exe PID 1432 wrote to memory of 1688 1432 CLM.exe CLM.exe PID 1432 wrote to memory of 1688 1432 CLM.exe CLM.exe PID 1432 wrote to memory of 1688 1432 CLM.exe CLM.exe PID 1432 wrote to memory of 1688 1432 CLM.exe CLM.exe PID 1432 wrote to memory of 1688 1432 CLM.exe CLM.exe PID 1432 wrote to memory of 1688 1432 CLM.exe CLM.exe PID 1432 wrote to memory of 1688 1432 CLM.exe CLM.exe PID 1432 wrote to memory of 1688 1432 CLM.exe CLM.exe PID 1688 wrote to memory of 2004 1688 CLM.exe dw20.exe PID 1688 wrote to memory of 2004 1688 CLM.exe dw20.exe PID 1688 wrote to memory of 2004 1688 CLM.exe dw20.exe PID 1688 wrote to memory of 2004 1688 CLM.exe dw20.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\UPDATED SOA.xlsx"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\CLM.exe"C:\Users\Admin\AppData\Roaming\CLM.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\CLM.exe"{path}"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 9604⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\CLM.exeMD5
4ff2f77e4d4cf8207749dd70205c6551
SHA14f28db25dc9b18f918d9fa74ae85b549a4128e29
SHA2562b2b2d652f0df53f1bdf4eead3ef92831132eacfef595043033d375dfe91c8ef
SHA51231b19d87be54214de05cf27ffddbbc6f3f233b86bc5057517da1d11419fb8ecd3bd5b9930171dbbb8984792382915c089a38a34a66538940cde662ee8684335c
-
C:\Users\Admin\AppData\Roaming\CLM.exeMD5
4ff2f77e4d4cf8207749dd70205c6551
SHA14f28db25dc9b18f918d9fa74ae85b549a4128e29
SHA2562b2b2d652f0df53f1bdf4eead3ef92831132eacfef595043033d375dfe91c8ef
SHA51231b19d87be54214de05cf27ffddbbc6f3f233b86bc5057517da1d11419fb8ecd3bd5b9930171dbbb8984792382915c089a38a34a66538940cde662ee8684335c
-
C:\Users\Admin\AppData\Roaming\CLM.exeMD5
4ff2f77e4d4cf8207749dd70205c6551
SHA14f28db25dc9b18f918d9fa74ae85b549a4128e29
SHA2562b2b2d652f0df53f1bdf4eead3ef92831132eacfef595043033d375dfe91c8ef
SHA51231b19d87be54214de05cf27ffddbbc6f3f233b86bc5057517da1d11419fb8ecd3bd5b9930171dbbb8984792382915c089a38a34a66538940cde662ee8684335c
-
\Users\Admin\AppData\Roaming\CLM.exeMD5
4ff2f77e4d4cf8207749dd70205c6551
SHA14f28db25dc9b18f918d9fa74ae85b549a4128e29
SHA2562b2b2d652f0df53f1bdf4eead3ef92831132eacfef595043033d375dfe91c8ef
SHA51231b19d87be54214de05cf27ffddbbc6f3f233b86bc5057517da1d11419fb8ecd3bd5b9930171dbbb8984792382915c089a38a34a66538940cde662ee8684335c
-
\Users\Admin\AppData\Roaming\CLM.exeMD5
4ff2f77e4d4cf8207749dd70205c6551
SHA14f28db25dc9b18f918d9fa74ae85b549a4128e29
SHA2562b2b2d652f0df53f1bdf4eead3ef92831132eacfef595043033d375dfe91c8ef
SHA51231b19d87be54214de05cf27ffddbbc6f3f233b86bc5057517da1d11419fb8ecd3bd5b9930171dbbb8984792382915c089a38a34a66538940cde662ee8684335c
-
\Users\Admin\AppData\Roaming\CLM.exeMD5
4ff2f77e4d4cf8207749dd70205c6551
SHA14f28db25dc9b18f918d9fa74ae85b549a4128e29
SHA2562b2b2d652f0df53f1bdf4eead3ef92831132eacfef595043033d375dfe91c8ef
SHA51231b19d87be54214de05cf27ffddbbc6f3f233b86bc5057517da1d11419fb8ecd3bd5b9930171dbbb8984792382915c089a38a34a66538940cde662ee8684335c
-
\Users\Admin\AppData\Roaming\CLM.exeMD5
4ff2f77e4d4cf8207749dd70205c6551
SHA14f28db25dc9b18f918d9fa74ae85b549a4128e29
SHA2562b2b2d652f0df53f1bdf4eead3ef92831132eacfef595043033d375dfe91c8ef
SHA51231b19d87be54214de05cf27ffddbbc6f3f233b86bc5057517da1d11419fb8ecd3bd5b9930171dbbb8984792382915c089a38a34a66538940cde662ee8684335c
-
\Users\Admin\AppData\Roaming\CLM.exeMD5
4ff2f77e4d4cf8207749dd70205c6551
SHA14f28db25dc9b18f918d9fa74ae85b549a4128e29
SHA2562b2b2d652f0df53f1bdf4eead3ef92831132eacfef595043033d375dfe91c8ef
SHA51231b19d87be54214de05cf27ffddbbc6f3f233b86bc5057517da1d11419fb8ecd3bd5b9930171dbbb8984792382915c089a38a34a66538940cde662ee8684335c
-
memory/600-63-0x0000000075891000-0x0000000075893000-memory.dmpFilesize
8KB
-
memory/736-85-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/736-60-0x000000002FBD1000-0x000000002FBD4000-memory.dmpFilesize
12KB
-
memory/736-61-0x00000000716A1000-0x00000000716A3000-memory.dmpFilesize
8KB
-
memory/736-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1432-71-0x00000000004C0000-0x00000000004C1000-memory.dmpFilesize
4KB
-
memory/1432-73-0x00000000004C1000-0x00000000004C2000-memory.dmpFilesize
4KB
-
memory/1432-66-0x0000000000000000-mapping.dmp
-
memory/1688-74-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/1688-75-0x000000000044320E-mapping.dmp
-
memory/1688-78-0x0000000000500000-0x0000000000501000-memory.dmpFilesize
4KB
-
memory/1692-69-0x0000000000000000-mapping.dmp
-
memory/1692-72-0x000007FEFBEA1000-0x000007FEFBEA3000-memory.dmpFilesize
8KB
-
memory/2004-79-0x0000000000000000-mapping.dmp
-
memory/2004-84-0x0000000001E10000-0x0000000001E11000-memory.dmpFilesize
4KB