Analysis
-
max time kernel
101s -
max time network
124s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
27-07-2021 19:40
Static task
static1
Behavioral task
behavioral1
Sample
product picture.xlsx
Resource
win7v20210410
Behavioral task
behavioral2
Sample
product picture.xlsx
Resource
win10v20210408
General
-
Target
product picture.xlsx
-
Size
629KB
-
MD5
a793904f9e649cdec7b2d27b7f6faf0d
-
SHA1
9a364e1755fbb8ed41ba9c34364e85255ff2d636
-
SHA256
1cfe05628f52cf99f5320c612e340abe35d30f56527d3949677b87716914d68d
-
SHA512
53d38acd0fa81b6a979b5777378453d1a8612591095de78f0763e080a20e283bf9c80aae3fc8956739f5dcede7b0f11d7c587118f6fab6f091fa82d27a431163
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
miratechs.gq - Port:
587 - Username:
arinzelog@miratechs.gq - Password:
7213575aceACE@#$
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
Processes:
resource yara_rule behavioral1/memory/1284-71-0x00000000001C0000-0x00000000001CB000-memory.dmp CustAttr -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1908 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
arinze5974.exearinze5974.exepid process 1284 arinze5974.exe 1720 arinze5974.exe -
Loads dropped DLL 6 IoCs
Processes:
EQNEDT32.EXEWerFault.exepid process 1908 EQNEDT32.EXE 1744 WerFault.exe 1744 WerFault.exe 1744 WerFault.exe 1744 WerFault.exe 1744 WerFault.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
arinze5974.exedescription pid process target process PID 1284 set thread context of 1720 1284 arinze5974.exe arinze5974.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1744 1720 WerFault.exe arinze5974.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 452 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
arinze5974.exeWerFault.exepid process 1720 arinze5974.exe 1744 WerFault.exe 1744 WerFault.exe 1744 WerFault.exe 1744 WerFault.exe 1744 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
arinze5974.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1720 arinze5974.exe Token: SeDebugPrivilege 1744 WerFault.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 452 EXCEL.EXE 452 EXCEL.EXE 452 EXCEL.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
EQNEDT32.EXEarinze5974.exearinze5974.exedescription pid process target process PID 1908 wrote to memory of 1284 1908 EQNEDT32.EXE arinze5974.exe PID 1908 wrote to memory of 1284 1908 EQNEDT32.EXE arinze5974.exe PID 1908 wrote to memory of 1284 1908 EQNEDT32.EXE arinze5974.exe PID 1908 wrote to memory of 1284 1908 EQNEDT32.EXE arinze5974.exe PID 1284 wrote to memory of 1720 1284 arinze5974.exe arinze5974.exe PID 1284 wrote to memory of 1720 1284 arinze5974.exe arinze5974.exe PID 1284 wrote to memory of 1720 1284 arinze5974.exe arinze5974.exe PID 1284 wrote to memory of 1720 1284 arinze5974.exe arinze5974.exe PID 1284 wrote to memory of 1720 1284 arinze5974.exe arinze5974.exe PID 1284 wrote to memory of 1720 1284 arinze5974.exe arinze5974.exe PID 1284 wrote to memory of 1720 1284 arinze5974.exe arinze5974.exe PID 1284 wrote to memory of 1720 1284 arinze5974.exe arinze5974.exe PID 1284 wrote to memory of 1720 1284 arinze5974.exe arinze5974.exe PID 1720 wrote to memory of 1744 1720 arinze5974.exe WerFault.exe PID 1720 wrote to memory of 1744 1720 arinze5974.exe WerFault.exe PID 1720 wrote to memory of 1744 1720 arinze5974.exe WerFault.exe PID 1720 wrote to memory of 1744 1720 arinze5974.exe WerFault.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\product picture.xlsx"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\arinze5974.exe"C:\Users\Admin\AppData\Roaming\arinze5974.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\arinze5974.exe"C:\Users\Admin\AppData\Roaming\arinze5974.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 9964⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\arinze5974.exeMD5
f014241e8c93d4dbafb85339eae88015
SHA19c5599c4f75b03928576778ec87a55d56d3cefde
SHA256b0cc2b05abaf593a784bb9d83cd0a61bf5b218605f61dba802df21c8ea54c7c6
SHA512117e90944b92a26a019aca33c2666d6beaa6a92ec237dc487c5a037ac309eb38cb15bfa4f801795d1bbef05b99ec494945a4e86c6e21a11bbff1ebaa7c746fc2
-
C:\Users\Admin\AppData\Roaming\arinze5974.exeMD5
f014241e8c93d4dbafb85339eae88015
SHA19c5599c4f75b03928576778ec87a55d56d3cefde
SHA256b0cc2b05abaf593a784bb9d83cd0a61bf5b218605f61dba802df21c8ea54c7c6
SHA512117e90944b92a26a019aca33c2666d6beaa6a92ec237dc487c5a037ac309eb38cb15bfa4f801795d1bbef05b99ec494945a4e86c6e21a11bbff1ebaa7c746fc2
-
C:\Users\Admin\AppData\Roaming\arinze5974.exeMD5
f014241e8c93d4dbafb85339eae88015
SHA19c5599c4f75b03928576778ec87a55d56d3cefde
SHA256b0cc2b05abaf593a784bb9d83cd0a61bf5b218605f61dba802df21c8ea54c7c6
SHA512117e90944b92a26a019aca33c2666d6beaa6a92ec237dc487c5a037ac309eb38cb15bfa4f801795d1bbef05b99ec494945a4e86c6e21a11bbff1ebaa7c746fc2
-
\Users\Admin\AppData\Roaming\arinze5974.exeMD5
f014241e8c93d4dbafb85339eae88015
SHA19c5599c4f75b03928576778ec87a55d56d3cefde
SHA256b0cc2b05abaf593a784bb9d83cd0a61bf5b218605f61dba802df21c8ea54c7c6
SHA512117e90944b92a26a019aca33c2666d6beaa6a92ec237dc487c5a037ac309eb38cb15bfa4f801795d1bbef05b99ec494945a4e86c6e21a11bbff1ebaa7c746fc2
-
\Users\Admin\AppData\Roaming\arinze5974.exeMD5
f014241e8c93d4dbafb85339eae88015
SHA19c5599c4f75b03928576778ec87a55d56d3cefde
SHA256b0cc2b05abaf593a784bb9d83cd0a61bf5b218605f61dba802df21c8ea54c7c6
SHA512117e90944b92a26a019aca33c2666d6beaa6a92ec237dc487c5a037ac309eb38cb15bfa4f801795d1bbef05b99ec494945a4e86c6e21a11bbff1ebaa7c746fc2
-
\Users\Admin\AppData\Roaming\arinze5974.exeMD5
f014241e8c93d4dbafb85339eae88015
SHA19c5599c4f75b03928576778ec87a55d56d3cefde
SHA256b0cc2b05abaf593a784bb9d83cd0a61bf5b218605f61dba802df21c8ea54c7c6
SHA512117e90944b92a26a019aca33c2666d6beaa6a92ec237dc487c5a037ac309eb38cb15bfa4f801795d1bbef05b99ec494945a4e86c6e21a11bbff1ebaa7c746fc2
-
\Users\Admin\AppData\Roaming\arinze5974.exeMD5
f014241e8c93d4dbafb85339eae88015
SHA19c5599c4f75b03928576778ec87a55d56d3cefde
SHA256b0cc2b05abaf593a784bb9d83cd0a61bf5b218605f61dba802df21c8ea54c7c6
SHA512117e90944b92a26a019aca33c2666d6beaa6a92ec237dc487c5a037ac309eb38cb15bfa4f801795d1bbef05b99ec494945a4e86c6e21a11bbff1ebaa7c746fc2
-
\Users\Admin\AppData\Roaming\arinze5974.exeMD5
f014241e8c93d4dbafb85339eae88015
SHA19c5599c4f75b03928576778ec87a55d56d3cefde
SHA256b0cc2b05abaf593a784bb9d83cd0a61bf5b218605f61dba802df21c8ea54c7c6
SHA512117e90944b92a26a019aca33c2666d6beaa6a92ec237dc487c5a037ac309eb38cb15bfa4f801795d1bbef05b99ec494945a4e86c6e21a11bbff1ebaa7c746fc2
-
\Users\Admin\AppData\Roaming\arinze5974.exeMD5
f014241e8c93d4dbafb85339eae88015
SHA19c5599c4f75b03928576778ec87a55d56d3cefde
SHA256b0cc2b05abaf593a784bb9d83cd0a61bf5b218605f61dba802df21c8ea54c7c6
SHA512117e90944b92a26a019aca33c2666d6beaa6a92ec237dc487c5a037ac309eb38cb15bfa4f801795d1bbef05b99ec494945a4e86c6e21a11bbff1ebaa7c746fc2
-
memory/452-87-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/452-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/452-61-0x0000000071581000-0x0000000071583000-memory.dmpFilesize
8KB
-
memory/452-60-0x000000002F671000-0x000000002F674000-memory.dmpFilesize
12KB
-
memory/1284-73-0x00000000004E0000-0x0000000000506000-memory.dmpFilesize
152KB
-
memory/1284-72-0x0000000004F50000-0x0000000004FBB000-memory.dmpFilesize
428KB
-
memory/1284-71-0x00000000001C0000-0x00000000001CB000-memory.dmpFilesize
44KB
-
memory/1284-70-0x0000000004CD0000-0x0000000004CD1000-memory.dmpFilesize
4KB
-
memory/1284-68-0x00000000010D0000-0x00000000010D1000-memory.dmpFilesize
4KB
-
memory/1284-65-0x0000000000000000-mapping.dmp
-
memory/1720-74-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1720-75-0x000000000041F84E-mapping.dmp
-
memory/1720-77-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1720-79-0x0000000000CA0000-0x0000000000CA1000-memory.dmpFilesize
4KB
-
memory/1744-80-0x0000000000000000-mapping.dmp
-
memory/1744-86-0x00000000002C0000-0x0000000000358000-memory.dmpFilesize
608KB
-
memory/1908-63-0x00000000753E1000-0x00000000753E3000-memory.dmpFilesize
8KB