snakekeylogger | 1cfe05628f52cf99f5320c612e340abe35d30f56527d3949677b87716914d68d

Analysis

max time kernel
101s
max time network
124s
platform
windows7_x64
resource
win7v20210410
submitted
27-07-2021 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

product picture.xlsx
Size

629KB
MD5

a793904f9e649cdec7b2d27b7f6faf0d
SHA1

9a364e1755fbb8ed41ba9c34364e85255ff2d636
SHA256

1cfe05628f52cf99f5320c612e340abe35d30f56527d3949677b87716914d68d
SHA512

53d38acd0fa81b6a979b5777378453d1a8612591095de78f0763e080a20e283bf9c80aae3fc8956739f5dcede7b0f11d7c587118f6fab6f091fa82d27a431163

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
miratechs.gq
Port:
587
Username:
arinzelog@miratechs.gq
Password:
7213575aceACE@#$

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral1/memory/1284-71-0x00000000001C0000-0x00000000001CB000-memory.dmp	CustAttr

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

6 1908 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

arinze5974.exearinze5974.exe

pid process

1284 arinze5974.exe
1720 arinze5974.exe
Loads dropped DLL 6 IoCs

Processes:

EQNEDT32.EXEWerFault.exe

pid process

1908 EQNEDT32.EXE
1744 WerFault.exe
1744 WerFault.exe
1744 WerFault.exe
1744 WerFault.exe
1744 WerFault.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

arinze5974.exe

description pid process target process

PID 1284 set thread context of 1720 1284 arinze5974.exe arinze5974.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1744 1720 WerFault.exe arinze5974.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1908 EQNEDT32.EXE

flow	pid	process
6	1908	EQNEDT32.EXE

pid	process
1284	arinze5974.exe
1720	arinze5974.exe

pid	process
1908	EQNEDT32.EXE
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe

flow	ioc
7	checkip.dyndns.org

description	pid	process	target process
PID 1284 set thread context of 1720	1284	arinze5974.exe	arinze5974.exe

pid	pid_target	process	target process
1744	1720	WerFault.exe	arinze5974.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1908	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

452 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

arinze5974.exeWerFault.exe

pid process

1720 arinze5974.exe
1744 WerFault.exe
1744 WerFault.exe
1744 WerFault.exe
1744 WerFault.exe
1744 WerFault.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

arinze5974.exeWerFault.exe

description pid process

Token: SeDebugPrivilege 1720 arinze5974.exe
Token: SeDebugPrivilege 1744 WerFault.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

452 EXCEL.EXE
452 EXCEL.EXE
452 EXCEL.EXE

pid	process
452	EXCEL.EXE

pid	process
1720	arinze5974.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1720	arinze5974.exe
Token: SeDebugPrivilege	1744	WerFault.exe

pid	process
452	EXCEL.EXE
452	EXCEL.EXE
452	EXCEL.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

EQNEDT32.EXEarinze5974.exearinze5974.exe

description	pid	process	target process
PID 1908 wrote to memory of 1284	1908	EQNEDT32.EXE	arinze5974.exe
PID 1908 wrote to memory of 1284	1908	EQNEDT32.EXE	arinze5974.exe
PID 1908 wrote to memory of 1284	1908	EQNEDT32.EXE	arinze5974.exe
PID 1908 wrote to memory of 1284	1908	EQNEDT32.EXE	arinze5974.exe
PID 1284 wrote to memory of 1720	1284	arinze5974.exe	arinze5974.exe
PID 1284 wrote to memory of 1720	1284	arinze5974.exe	arinze5974.exe
PID 1284 wrote to memory of 1720	1284	arinze5974.exe	arinze5974.exe
PID 1284 wrote to memory of 1720	1284	arinze5974.exe	arinze5974.exe
PID 1284 wrote to memory of 1720	1284	arinze5974.exe	arinze5974.exe
PID 1284 wrote to memory of 1720	1284	arinze5974.exe	arinze5974.exe
PID 1284 wrote to memory of 1720	1284	arinze5974.exe	arinze5974.exe
PID 1284 wrote to memory of 1720	1284	arinze5974.exe	arinze5974.exe
PID 1284 wrote to memory of 1720	1284	arinze5974.exe	arinze5974.exe
PID 1720 wrote to memory of 1744	1720	arinze5974.exe	WerFault.exe
PID 1720 wrote to memory of 1744	1720	arinze5974.exe	WerFault.exe
PID 1720 wrote to memory of 1744	1720	arinze5974.exe	WerFault.exe
PID 1720 wrote to memory of 1744	1720	arinze5974.exe	WerFault.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\product picture.xlsx"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:452

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1908

C:\Users\Admin\AppData\Roaming\arinze5974.exe
"C:\Users\Admin\AppData\Roaming\arinze5974.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Roaming\arinze5974.exe
"C:\Users\Admin\AppData\Roaming\arinze5974.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 996
4⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\arinze5974.exe
MD5
f014241e8c93d4dbafb85339eae88015

SHA1
9c5599c4f75b03928576778ec87a55d56d3cefde

SHA256
b0cc2b05abaf593a784bb9d83cd0a61bf5b218605f61dba802df21c8ea54c7c6

SHA512
117e90944b92a26a019aca33c2666d6beaa6a92ec237dc487c5a037ac309eb38cb15bfa4f801795d1bbef05b99ec494945a4e86c6e21a11bbff1ebaa7c746fc2

Download Submit
C:\Users\Admin\AppData\Roaming\arinze5974.exe
MD5
f014241e8c93d4dbafb85339eae88015

SHA1
9c5599c4f75b03928576778ec87a55d56d3cefde

SHA256
b0cc2b05abaf593a784bb9d83cd0a61bf5b218605f61dba802df21c8ea54c7c6

SHA512
117e90944b92a26a019aca33c2666d6beaa6a92ec237dc487c5a037ac309eb38cb15bfa4f801795d1bbef05b99ec494945a4e86c6e21a11bbff1ebaa7c746fc2

Download Submit
C:\Users\Admin\AppData\Roaming\arinze5974.exe
MD5
f014241e8c93d4dbafb85339eae88015

SHA1
9c5599c4f75b03928576778ec87a55d56d3cefde

SHA256
b0cc2b05abaf593a784bb9d83cd0a61bf5b218605f61dba802df21c8ea54c7c6

SHA512
117e90944b92a26a019aca33c2666d6beaa6a92ec237dc487c5a037ac309eb38cb15bfa4f801795d1bbef05b99ec494945a4e86c6e21a11bbff1ebaa7c746fc2

Download Submit
\Users\Admin\AppData\Roaming\arinze5974.exe
MD5
f014241e8c93d4dbafb85339eae88015

SHA1
9c5599c4f75b03928576778ec87a55d56d3cefde

SHA256
b0cc2b05abaf593a784bb9d83cd0a61bf5b218605f61dba802df21c8ea54c7c6

SHA512
117e90944b92a26a019aca33c2666d6beaa6a92ec237dc487c5a037ac309eb38cb15bfa4f801795d1bbef05b99ec494945a4e86c6e21a11bbff1ebaa7c746fc2

Download Submit
\Users\Admin\AppData\Roaming\arinze5974.exe
MD5
f014241e8c93d4dbafb85339eae88015

SHA1
9c5599c4f75b03928576778ec87a55d56d3cefde

SHA256
b0cc2b05abaf593a784bb9d83cd0a61bf5b218605f61dba802df21c8ea54c7c6

SHA512
117e90944b92a26a019aca33c2666d6beaa6a92ec237dc487c5a037ac309eb38cb15bfa4f801795d1bbef05b99ec494945a4e86c6e21a11bbff1ebaa7c746fc2

Download Submit
\Users\Admin\AppData\Roaming\arinze5974.exe
MD5
f014241e8c93d4dbafb85339eae88015

SHA1
9c5599c4f75b03928576778ec87a55d56d3cefde

SHA256
b0cc2b05abaf593a784bb9d83cd0a61bf5b218605f61dba802df21c8ea54c7c6

SHA512
117e90944b92a26a019aca33c2666d6beaa6a92ec237dc487c5a037ac309eb38cb15bfa4f801795d1bbef05b99ec494945a4e86c6e21a11bbff1ebaa7c746fc2

Download Submit
\Users\Admin\AppData\Roaming\arinze5974.exe
MD5
f014241e8c93d4dbafb85339eae88015

SHA1
9c5599c4f75b03928576778ec87a55d56d3cefde

SHA256
b0cc2b05abaf593a784bb9d83cd0a61bf5b218605f61dba802df21c8ea54c7c6

SHA512
117e90944b92a26a019aca33c2666d6beaa6a92ec237dc487c5a037ac309eb38cb15bfa4f801795d1bbef05b99ec494945a4e86c6e21a11bbff1ebaa7c746fc2

Download Submit
\Users\Admin\AppData\Roaming\arinze5974.exe
MD5
f014241e8c93d4dbafb85339eae88015

SHA1
9c5599c4f75b03928576778ec87a55d56d3cefde

SHA256
b0cc2b05abaf593a784bb9d83cd0a61bf5b218605f61dba802df21c8ea54c7c6

SHA512
117e90944b92a26a019aca33c2666d6beaa6a92ec237dc487c5a037ac309eb38cb15bfa4f801795d1bbef05b99ec494945a4e86c6e21a11bbff1ebaa7c746fc2

Download Submit
\Users\Admin\AppData\Roaming\arinze5974.exe
MD5
f014241e8c93d4dbafb85339eae88015

SHA1
9c5599c4f75b03928576778ec87a55d56d3cefde

SHA256
b0cc2b05abaf593a784bb9d83cd0a61bf5b218605f61dba802df21c8ea54c7c6

SHA512
117e90944b92a26a019aca33c2666d6beaa6a92ec237dc487c5a037ac309eb38cb15bfa4f801795d1bbef05b99ec494945a4e86c6e21a11bbff1ebaa7c746fc2

Download Submit
memory/452-87-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/452-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/452-61-0x0000000071581000-0x0000000071583000-memory.dmp

Filesize
8KB

Download
memory/452-60-0x000000002F671000-0x000000002F674000-memory.dmp

Filesize
12KB

Download
memory/1284-73-0x00000000004E0000-0x0000000000506000-memory.dmp

Filesize
152KB

Download
memory/1284-72-0x0000000004F50000-0x0000000004FBB000-memory.dmp

Filesize
428KB

Download
memory/1284-71-0x00000000001C0000-0x00000000001CB000-memory.dmp

Filesize
44KB

Download
memory/1284-70-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/1284-68-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/1284-65-0x0000000000000000-mapping.dmp

Download
memory/1720-74-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1720-75-0x000000000041F84E-mapping.dmp

Download
memory/1720-77-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1720-79-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1744-80-0x0000000000000000-mapping.dmp

Download
memory/1744-86-0x00000000002C0000-0x0000000000358000-memory.dmp

Filesize
608KB

Download
memory/1908-63-0x00000000753E1000-0x00000000753E3000-memory.dmp

Filesize
8KB

Download