Overview

overview

10

Static

static

NEW PO 20225181.xlsx

windows7-x64

10

NEW PO 20225181.xlsx

windows10-2004-x64

1

Analysis

  • max time kernel
    111s
  • max time network
    114s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2022 08:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEW PO 20225181.xlsx

  • Size

    224KB

  • MD5

    6826bbee258392a79f20091716a3fd15

  • SHA1

    94fb6fbc30e5957f6b237cdf99f7015dd2853331

  • SHA256

    f9e9464169205be40bda49d94c135db4dd6daec15eaaed39b0e3ad1afe497316

  • SHA512

    e912c44ea39108645c2ce1e9dabedd65b81e1f87f2adea216fd39603b5615a203d03ff37ed4ea35c1fd0f0e8cb3ed4ff43fd37411a36c209c653164a3979130d

  • SSDEEP

    6144:d2CK4NbWM2cOu9pJXNzblkX2MxcRrWDKtGG7:ECK4EM6upJRbym9R4U

Score
10/10
snakekeyloggercollectionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 6 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\NEW PO 20225181.xlsx"
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1652
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Users\Public\regasm_svch.exe
      "C:\Users\Public\regasm_svch.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:392
      • C:\Users\Public\regasm_svch.exe
        "C:\Users\Public\regasm_svch.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:832

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\regasm_svch.exe
    Filesize

    723KB

    MD5

    fa0f26e712743b8960b3519319c3a7ca

    SHA1

    fa5a63d80b32365583136dbac729aa8bc5536ebb

    SHA256

    997dfa9474f19f973c4161f7cfa03d778f4f8c0875c6834c1b2dd8e42c289bc3

    SHA512

    42987a14c6a879bfa6af44e9a10ca1bf4d3be3d23d3d2cd9a9b86098b2d9a575e07ec2f1da8aab892a9b764dd16d4f08f814a77435d32b85bf3d3c00a31a8b0b

    Download Submit

  • C:\Users\Public\regasm_svch.exe
    Filesize

    723KB

    MD5

    fa0f26e712743b8960b3519319c3a7ca

    SHA1

    fa5a63d80b32365583136dbac729aa8bc5536ebb

    SHA256

    997dfa9474f19f973c4161f7cfa03d778f4f8c0875c6834c1b2dd8e42c289bc3

    SHA512

    42987a14c6a879bfa6af44e9a10ca1bf4d3be3d23d3d2cd9a9b86098b2d9a575e07ec2f1da8aab892a9b764dd16d4f08f814a77435d32b85bf3d3c00a31a8b0b

    Download Submit

  • C:\Users\Public\regasm_svch.exe
    Filesize

    723KB

    MD5

    fa0f26e712743b8960b3519319c3a7ca

    SHA1

    fa5a63d80b32365583136dbac729aa8bc5536ebb

    SHA256

    997dfa9474f19f973c4161f7cfa03d778f4f8c0875c6834c1b2dd8e42c289bc3

    SHA512

    42987a14c6a879bfa6af44e9a10ca1bf4d3be3d23d3d2cd9a9b86098b2d9a575e07ec2f1da8aab892a9b764dd16d4f08f814a77435d32b85bf3d3c00a31a8b0b

    Download Submit

  • \Users\Public\regasm_svch.exe
    Filesize

    723KB

    MD5

    fa0f26e712743b8960b3519319c3a7ca

    SHA1

    fa5a63d80b32365583136dbac729aa8bc5536ebb

    SHA256

    997dfa9474f19f973c4161f7cfa03d778f4f8c0875c6834c1b2dd8e42c289bc3

    SHA512

    42987a14c6a879bfa6af44e9a10ca1bf4d3be3d23d3d2cd9a9b86098b2d9a575e07ec2f1da8aab892a9b764dd16d4f08f814a77435d32b85bf3d3c00a31a8b0b

    Download Submit

  • \Users\Public\regasm_svch.exe
    Filesize

    723KB

    MD5

    fa0f26e712743b8960b3519319c3a7ca

    SHA1

    fa5a63d80b32365583136dbac729aa8bc5536ebb

    SHA256

    997dfa9474f19f973c4161f7cfa03d778f4f8c0875c6834c1b2dd8e42c289bc3

    SHA512

    42987a14c6a879bfa6af44e9a10ca1bf4d3be3d23d3d2cd9a9b86098b2d9a575e07ec2f1da8aab892a9b764dd16d4f08f814a77435d32b85bf3d3c00a31a8b0b

    Download Submit

  • \Users\Public\regasm_svch.exe
    Filesize

    723KB

    MD5

    fa0f26e712743b8960b3519319c3a7ca

    SHA1

    fa5a63d80b32365583136dbac729aa8bc5536ebb

    SHA256

    997dfa9474f19f973c4161f7cfa03d778f4f8c0875c6834c1b2dd8e42c289bc3

    SHA512

    42987a14c6a879bfa6af44e9a10ca1bf4d3be3d23d3d2cd9a9b86098b2d9a575e07ec2f1da8aab892a9b764dd16d4f08f814a77435d32b85bf3d3c00a31a8b0b

    Download Submit

  • \Users\Public\regasm_svch.exe
    Filesize

    723KB

    MD5

    fa0f26e712743b8960b3519319c3a7ca

    SHA1

    fa5a63d80b32365583136dbac729aa8bc5536ebb

    SHA256

    997dfa9474f19f973c4161f7cfa03d778f4f8c0875c6834c1b2dd8e42c289bc3

    SHA512

    42987a14c6a879bfa6af44e9a10ca1bf4d3be3d23d3d2cd9a9b86098b2d9a575e07ec2f1da8aab892a9b764dd16d4f08f814a77435d32b85bf3d3c00a31a8b0b

    Download Submit

  • \Users\Public\regasm_svch.exe
    Filesize

    723KB

    MD5

    fa0f26e712743b8960b3519319c3a7ca

    SHA1

    fa5a63d80b32365583136dbac729aa8bc5536ebb

    SHA256

    997dfa9474f19f973c4161f7cfa03d778f4f8c0875c6834c1b2dd8e42c289bc3

    SHA512

    42987a14c6a879bfa6af44e9a10ca1bf4d3be3d23d3d2cd9a9b86098b2d9a575e07ec2f1da8aab892a9b764dd16d4f08f814a77435d32b85bf3d3c00a31a8b0b

    Download Submit

  • memory/392-69-0x0000000001260000-0x000000000131C000-memory.dmp

    Filesize

    752KB

    Download

  • memory/392-71-0x0000000000530000-0x0000000000546000-memory.dmp

    Filesize

    88KB

    Download

  • memory/392-76-0x0000000001030000-0x0000000001056000-memory.dmp

    Filesize

    152KB

    Download

  • memory/392-75-0x0000000007E40000-0x0000000007EC0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/392-74-0x0000000000540000-0x000000000054C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/832-82-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/832-78-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/832-87-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/832-89-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/832-83-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/832-80-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/832-77-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1652-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1652-58-0x0000000076041000-0x0000000076043000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1652-60-0x000000007226D000-0x0000000072278000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1652-57-0x000000007226D000-0x0000000072278000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1652-54-0x000000002F841000-0x000000002F844000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1652-55-0x0000000071281000-0x0000000071283000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1652-73-0x000000007226D000-0x0000000072278000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1652-72-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download