Analysis
-
max time kernel
100s -
max time network
184s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
28-07-2021 02:00
Static task
static1
Behavioral task
behavioral1
Sample
Number of Package.xlsx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Number of Package.xlsx
Resource
win10v20210408
General
-
Target
Number of Package.xlsx
-
Size
718KB
-
MD5
a247cc8b5eb2f580aa454b3846c3ad36
-
SHA1
415bb2fdedf27176947e557ac969a09b9e9d035a
-
SHA256
db27960e5407802bd8416782c93898baf8c89e240348db47870ef55091195feb
-
SHA512
31f99e8545b8bc6254a498d590c6b79ded8bc7213f1f407652cfc6d36702b5c6bd5918add236d9d50085ccb8d97f0b6ca721e192aed06d4e0c0e3e606c4de4e8
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
bh-16.webhostbox.net - Port:
587 - Username:
whesilolog@miratechs.gq - Password:
7213575aceACE@#$
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
Processes:
resource yara_rule behavioral1/memory/936-70-0x00000000004E0000-0x00000000004EB000-memory.dmp CustAttr -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 5 1544 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
whesilo7441.exewhesilo7441.exepid process 936 whesilo7441.exe 1084 whesilo7441.exe -
Loads dropped DLL 6 IoCs
Processes:
EQNEDT32.EXEWerFault.exepid process 1544 EQNEDT32.EXE 2008 WerFault.exe 2008 WerFault.exe 2008 WerFault.exe 2008 WerFault.exe 2008 WerFault.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
whesilo7441.exedescription pid process target process PID 936 set thread context of 1084 936 whesilo7441.exe whesilo7441.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2008 1084 WerFault.exe whesilo7441.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 332 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
whesilo7441.exeWerFault.exepid process 1084 whesilo7441.exe 2008 WerFault.exe 2008 WerFault.exe 2008 WerFault.exe 2008 WerFault.exe 2008 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
whesilo7441.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1084 whesilo7441.exe Token: SeDebugPrivilege 2008 WerFault.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 332 EXCEL.EXE 332 EXCEL.EXE 332 EXCEL.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
EQNEDT32.EXEwhesilo7441.exewhesilo7441.exedescription pid process target process PID 1544 wrote to memory of 936 1544 EQNEDT32.EXE whesilo7441.exe PID 1544 wrote to memory of 936 1544 EQNEDT32.EXE whesilo7441.exe PID 1544 wrote to memory of 936 1544 EQNEDT32.EXE whesilo7441.exe PID 1544 wrote to memory of 936 1544 EQNEDT32.EXE whesilo7441.exe PID 936 wrote to memory of 1084 936 whesilo7441.exe whesilo7441.exe PID 936 wrote to memory of 1084 936 whesilo7441.exe whesilo7441.exe PID 936 wrote to memory of 1084 936 whesilo7441.exe whesilo7441.exe PID 936 wrote to memory of 1084 936 whesilo7441.exe whesilo7441.exe PID 936 wrote to memory of 1084 936 whesilo7441.exe whesilo7441.exe PID 936 wrote to memory of 1084 936 whesilo7441.exe whesilo7441.exe PID 936 wrote to memory of 1084 936 whesilo7441.exe whesilo7441.exe PID 936 wrote to memory of 1084 936 whesilo7441.exe whesilo7441.exe PID 936 wrote to memory of 1084 936 whesilo7441.exe whesilo7441.exe PID 1084 wrote to memory of 2008 1084 whesilo7441.exe WerFault.exe PID 1084 wrote to memory of 2008 1084 whesilo7441.exe WerFault.exe PID 1084 wrote to memory of 2008 1084 whesilo7441.exe WerFault.exe PID 1084 wrote to memory of 2008 1084 whesilo7441.exe WerFault.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Number of Package.xlsx"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\whesilo7441.exe"C:\Users\Admin\AppData\Roaming\whesilo7441.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\whesilo7441.exe"C:\Users\Admin\AppData\Roaming\whesilo7441.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 10044⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\whesilo7441.exeMD5
573a705d5e0d497295ea03ac32056f8f
SHA122da991da46c925251c0d509cdaa6cad50e3ebe1
SHA25674f9d0543c52f4e3cc068134a69edaea6af7d715874efc4acd643991f28f3de3
SHA51259399a3c87b2157485ca25899c018d98c8dea6572a918bb5c2984f6b24c86fbe2e76fac87625ab05e782a4f1ca655eb71c1a225ccccc25e722344294b22fa515
-
C:\Users\Admin\AppData\Roaming\whesilo7441.exeMD5
573a705d5e0d497295ea03ac32056f8f
SHA122da991da46c925251c0d509cdaa6cad50e3ebe1
SHA25674f9d0543c52f4e3cc068134a69edaea6af7d715874efc4acd643991f28f3de3
SHA51259399a3c87b2157485ca25899c018d98c8dea6572a918bb5c2984f6b24c86fbe2e76fac87625ab05e782a4f1ca655eb71c1a225ccccc25e722344294b22fa515
-
C:\Users\Admin\AppData\Roaming\whesilo7441.exeMD5
573a705d5e0d497295ea03ac32056f8f
SHA122da991da46c925251c0d509cdaa6cad50e3ebe1
SHA25674f9d0543c52f4e3cc068134a69edaea6af7d715874efc4acd643991f28f3de3
SHA51259399a3c87b2157485ca25899c018d98c8dea6572a918bb5c2984f6b24c86fbe2e76fac87625ab05e782a4f1ca655eb71c1a225ccccc25e722344294b22fa515
-
\Users\Admin\AppData\Roaming\whesilo7441.exeMD5
573a705d5e0d497295ea03ac32056f8f
SHA122da991da46c925251c0d509cdaa6cad50e3ebe1
SHA25674f9d0543c52f4e3cc068134a69edaea6af7d715874efc4acd643991f28f3de3
SHA51259399a3c87b2157485ca25899c018d98c8dea6572a918bb5c2984f6b24c86fbe2e76fac87625ab05e782a4f1ca655eb71c1a225ccccc25e722344294b22fa515
-
\Users\Admin\AppData\Roaming\whesilo7441.exeMD5
573a705d5e0d497295ea03ac32056f8f
SHA122da991da46c925251c0d509cdaa6cad50e3ebe1
SHA25674f9d0543c52f4e3cc068134a69edaea6af7d715874efc4acd643991f28f3de3
SHA51259399a3c87b2157485ca25899c018d98c8dea6572a918bb5c2984f6b24c86fbe2e76fac87625ab05e782a4f1ca655eb71c1a225ccccc25e722344294b22fa515
-
\Users\Admin\AppData\Roaming\whesilo7441.exeMD5
573a705d5e0d497295ea03ac32056f8f
SHA122da991da46c925251c0d509cdaa6cad50e3ebe1
SHA25674f9d0543c52f4e3cc068134a69edaea6af7d715874efc4acd643991f28f3de3
SHA51259399a3c87b2157485ca25899c018d98c8dea6572a918bb5c2984f6b24c86fbe2e76fac87625ab05e782a4f1ca655eb71c1a225ccccc25e722344294b22fa515
-
\Users\Admin\AppData\Roaming\whesilo7441.exeMD5
573a705d5e0d497295ea03ac32056f8f
SHA122da991da46c925251c0d509cdaa6cad50e3ebe1
SHA25674f9d0543c52f4e3cc068134a69edaea6af7d715874efc4acd643991f28f3de3
SHA51259399a3c87b2157485ca25899c018d98c8dea6572a918bb5c2984f6b24c86fbe2e76fac87625ab05e782a4f1ca655eb71c1a225ccccc25e722344294b22fa515
-
\Users\Admin\AppData\Roaming\whesilo7441.exeMD5
573a705d5e0d497295ea03ac32056f8f
SHA122da991da46c925251c0d509cdaa6cad50e3ebe1
SHA25674f9d0543c52f4e3cc068134a69edaea6af7d715874efc4acd643991f28f3de3
SHA51259399a3c87b2157485ca25899c018d98c8dea6572a918bb5c2984f6b24c86fbe2e76fac87625ab05e782a4f1ca655eb71c1a225ccccc25e722344294b22fa515
-
\Users\Admin\AppData\Roaming\whesilo7441.exeMD5
573a705d5e0d497295ea03ac32056f8f
SHA122da991da46c925251c0d509cdaa6cad50e3ebe1
SHA25674f9d0543c52f4e3cc068134a69edaea6af7d715874efc4acd643991f28f3de3
SHA51259399a3c87b2157485ca25899c018d98c8dea6572a918bb5c2984f6b24c86fbe2e76fac87625ab05e782a4f1ca655eb71c1a225ccccc25e722344294b22fa515
-
memory/332-86-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/332-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/332-60-0x0000000071211000-0x0000000071213000-memory.dmpFilesize
8KB
-
memory/332-59-0x000000002F391000-0x000000002F394000-memory.dmpFilesize
12KB
-
memory/936-72-0x0000000002040000-0x0000000002066000-memory.dmpFilesize
152KB
-
memory/936-71-0x0000000004F10000-0x0000000004F73000-memory.dmpFilesize
396KB
-
memory/936-70-0x00000000004E0000-0x00000000004EB000-memory.dmpFilesize
44KB
-
memory/936-69-0x0000000004D30000-0x0000000004D31000-memory.dmpFilesize
4KB
-
memory/936-67-0x0000000000AF0000-0x0000000000AF1000-memory.dmpFilesize
4KB
-
memory/936-64-0x0000000000000000-mapping.dmp
-
memory/1084-73-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1084-74-0x000000000041F89E-mapping.dmp
-
memory/1084-76-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1084-78-0x0000000004AB0000-0x0000000004AB1000-memory.dmpFilesize
4KB
-
memory/1544-62-0x0000000075FF1000-0x0000000075FF3000-memory.dmpFilesize
8KB
-
memory/2008-79-0x0000000000000000-mapping.dmp
-
memory/2008-85-0x0000000002300000-0x0000000002301000-memory.dmpFilesize
4KB