snakekeylogger | ac377dab041224657325256e5549adf0243175a11b4679386bfc28b8ad9d232d

General

Target

UPDATED SOA.xlsx
Size

705KB
MD5

b1403a9cdf7a6c5ec38bc61a8881be15
SHA1

effc46e294614dc6aadc226adbc08b1bca2c141c
SHA256

ac377dab041224657325256e5549adf0243175a11b4679386bfc28b8ad9d232d
SHA512

a2c6127624f1ca9880cce10c222d956f04894e4a724693f69ac788d3471f8cd01522f6a17b89c79f921b83cf0d722ab7a04841f816fca4ad955122627f5d220f

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
nnamdi@keithwilliamgroup.com
Password:
)||LHNUQ5wgcszg

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

4 600 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

CLM.exeCLM.exe

pid process

1432 CLM.exe
1688 CLM.exe
Loads dropped DLL 5 IoCs

Processes:

EQNEDT32.EXEdw20.exe

pid process

600 EQNEDT32.EXE
600 EQNEDT32.EXE
2004 dw20.exe
2004 dw20.exe
2004 dw20.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

CLM.exe

description pid process target process

PID 1432 set thread context of 1688 1432 CLM.exe CLM.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

600 EQNEDT32.EXE

flow	pid	process
4	600	EQNEDT32.EXE

pid	process
1432	CLM.exe
1688	CLM.exe

pid	process
600	EQNEDT32.EXE
600	EQNEDT32.EXE
2004	dw20.exe
2004	dw20.exe
2004	dw20.exe

flow	ioc
7	checkip.dyndns.org

description	pid	process	target process
PID 1432 set thread context of 1688	1432	CLM.exe	CLM.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
600	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

736 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

CLM.exe

pid process

1688 CLM.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

CLM.exe

description pid process

Token: SeDebugPrivilege 1688 CLM.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

736 EXCEL.EXE
736 EXCEL.EXE
736 EXCEL.EXE

pid	process
736	EXCEL.EXE

pid	process
1688	CLM.exe

description	pid	process
Token: SeDebugPrivilege	1688	CLM.exe

pid	process
736	EXCEL.EXE
736	EXCEL.EXE
736	EXCEL.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

EQNEDT32.EXEEXCEL.EXECLM.exeCLM.exe

description	pid	process	target process
PID 600 wrote to memory of 1432	600	EQNEDT32.EXE	CLM.exe
PID 600 wrote to memory of 1432	600	EQNEDT32.EXE	CLM.exe
PID 600 wrote to memory of 1432	600	EQNEDT32.EXE	CLM.exe
PID 600 wrote to memory of 1432	600	EQNEDT32.EXE	CLM.exe
PID 736 wrote to memory of 1692	736	EXCEL.EXE	splwow64.exe
PID 736 wrote to memory of 1692	736	EXCEL.EXE	splwow64.exe
PID 736 wrote to memory of 1692	736	EXCEL.EXE	splwow64.exe
PID 736 wrote to memory of 1692	736	EXCEL.EXE	splwow64.exe
PID 1432 wrote to memory of 1688	1432	CLM.exe	CLM.exe
PID 1432 wrote to memory of 1688	1432	CLM.exe	CLM.exe
PID 1432 wrote to memory of 1688	1432	CLM.exe	CLM.exe
PID 1432 wrote to memory of 1688	1432	CLM.exe	CLM.exe
PID 1432 wrote to memory of 1688	1432	CLM.exe	CLM.exe
PID 1432 wrote to memory of 1688	1432	CLM.exe	CLM.exe
PID 1432 wrote to memory of 1688	1432	CLM.exe	CLM.exe
PID 1432 wrote to memory of 1688	1432	CLM.exe	CLM.exe
PID 1432 wrote to memory of 1688	1432	CLM.exe	CLM.exe
PID 1688 wrote to memory of 2004	1688	CLM.exe	dw20.exe
PID 1688 wrote to memory of 2004	1688	CLM.exe	dw20.exe
PID 1688 wrote to memory of 2004	1688	CLM.exe	dw20.exe
PID 1688 wrote to memory of 2004	1688	CLM.exe	dw20.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\UPDATED SOA.xlsx"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1692

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:600

C:\Users\Admin\AppData\Roaming\CLM.exe
"C:\Users\Admin\AppData\Roaming\CLM.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1432

C:\Users\Admin\AppData\Roaming\CLM.exe
"{path}"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 960
4⤵
- Loads dropped DLL
PID:2004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\CLM.exe
MD5
4ff2f77e4d4cf8207749dd70205c6551

SHA1
4f28db25dc9b18f918d9fa74ae85b549a4128e29

SHA256
2b2b2d652f0df53f1bdf4eead3ef92831132eacfef595043033d375dfe91c8ef

SHA512
31b19d87be54214de05cf27ffddbbc6f3f233b86bc5057517da1d11419fb8ecd3bd5b9930171dbbb8984792382915c089a38a34a66538940cde662ee8684335c

Download Submit
C:\Users\Admin\AppData\Roaming\CLM.exe
MD5
4ff2f77e4d4cf8207749dd70205c6551

SHA1
4f28db25dc9b18f918d9fa74ae85b549a4128e29

SHA256
2b2b2d652f0df53f1bdf4eead3ef92831132eacfef595043033d375dfe91c8ef

SHA512
31b19d87be54214de05cf27ffddbbc6f3f233b86bc5057517da1d11419fb8ecd3bd5b9930171dbbb8984792382915c089a38a34a66538940cde662ee8684335c

Download Submit
C:\Users\Admin\AppData\Roaming\CLM.exe
MD5
4ff2f77e4d4cf8207749dd70205c6551

SHA1
4f28db25dc9b18f918d9fa74ae85b549a4128e29

SHA256
2b2b2d652f0df53f1bdf4eead3ef92831132eacfef595043033d375dfe91c8ef

SHA512
31b19d87be54214de05cf27ffddbbc6f3f233b86bc5057517da1d11419fb8ecd3bd5b9930171dbbb8984792382915c089a38a34a66538940cde662ee8684335c

Download Submit
\Users\Admin\AppData\Roaming\CLM.exe
MD5
4ff2f77e4d4cf8207749dd70205c6551

SHA1
4f28db25dc9b18f918d9fa74ae85b549a4128e29

SHA256
2b2b2d652f0df53f1bdf4eead3ef92831132eacfef595043033d375dfe91c8ef

SHA512
31b19d87be54214de05cf27ffddbbc6f3f233b86bc5057517da1d11419fb8ecd3bd5b9930171dbbb8984792382915c089a38a34a66538940cde662ee8684335c

Download Submit
\Users\Admin\AppData\Roaming\CLM.exe
MD5
4ff2f77e4d4cf8207749dd70205c6551

SHA1
4f28db25dc9b18f918d9fa74ae85b549a4128e29

SHA256
2b2b2d652f0df53f1bdf4eead3ef92831132eacfef595043033d375dfe91c8ef

SHA512
31b19d87be54214de05cf27ffddbbc6f3f233b86bc5057517da1d11419fb8ecd3bd5b9930171dbbb8984792382915c089a38a34a66538940cde662ee8684335c

Download Submit
\Users\Admin\AppData\Roaming\CLM.exe
MD5
4ff2f77e4d4cf8207749dd70205c6551

SHA1
4f28db25dc9b18f918d9fa74ae85b549a4128e29

SHA256
2b2b2d652f0df53f1bdf4eead3ef92831132eacfef595043033d375dfe91c8ef

SHA512
31b19d87be54214de05cf27ffddbbc6f3f233b86bc5057517da1d11419fb8ecd3bd5b9930171dbbb8984792382915c089a38a34a66538940cde662ee8684335c

Download Submit
\Users\Admin\AppData\Roaming\CLM.exe
MD5
4ff2f77e4d4cf8207749dd70205c6551

SHA1
4f28db25dc9b18f918d9fa74ae85b549a4128e29

SHA256
2b2b2d652f0df53f1bdf4eead3ef92831132eacfef595043033d375dfe91c8ef

SHA512
31b19d87be54214de05cf27ffddbbc6f3f233b86bc5057517da1d11419fb8ecd3bd5b9930171dbbb8984792382915c089a38a34a66538940cde662ee8684335c

Download Submit
\Users\Admin\AppData\Roaming\CLM.exe
MD5
4ff2f77e4d4cf8207749dd70205c6551

SHA1
4f28db25dc9b18f918d9fa74ae85b549a4128e29

SHA256
2b2b2d652f0df53f1bdf4eead3ef92831132eacfef595043033d375dfe91c8ef

SHA512
31b19d87be54214de05cf27ffddbbc6f3f233b86bc5057517da1d11419fb8ecd3bd5b9930171dbbb8984792382915c089a38a34a66538940cde662ee8684335c

Download Submit
memory/600-63-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download
memory/736-85-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/736-60-0x000000002FBD1000-0x000000002FBD4000-memory.dmp

Filesize
12KB

Download
memory/736-61-0x00000000716A1000-0x00000000716A3000-memory.dmp

Filesize
8KB

Download
memory/736-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1432-71-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/1432-73-0x00000000004C1000-0x00000000004C2000-memory.dmp

Filesize
4KB

Download
memory/1432-66-0x0000000000000000-mapping.dmp

Download
memory/1688-74-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1688-75-0x000000000044320E-mapping.dmp

Download
memory/1688-78-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/1692-69-0x0000000000000000-mapping.dmp

Download
memory/1692-72-0x000007FEFBEA1000-0x000007FEFBEA3000-memory.dmp

Filesize
8KB

Download
memory/2004-79-0x0000000000000000-mapping.dmp

Download
memory/2004-84-0x0000000001E10000-0x0000000001E11000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing