Analysis

  • max time kernel
    145s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    07/02/2023, 17:03

General

  • Target

    Swift 52,000USD.xls

  • Size

    503KB

  • MD5

    f995ee6cf1282fcd570b490a55b17355

  • SHA1

    e0d2ed2412eb4d09c9a2f05612c01ab93e75af03

  • SHA256

    5589bcfad3eb74dac48659c6353f72b4a3aede02382d92f3180dc895181446d6

  • SHA512

    9f9a0c1b3a5f7e7030a548df35da48721fadce673a1864950e8c9b0488eb5843e4b6aab0e6dd6e682b6359f5484e176300a5a55cbd7bb4d3c37b01f3b1b03d73

  • SSDEEP

    6144:C90rC6zzXaMANkizCBDEk2sG3figF8ESbuQq9c+DS+5T+Z+RwPONXoRjDhIcp0fy:CF935TH8Cuou3y

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ^!uJBr^9 daniel

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

  • Snake Keylogger payload 6 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Swift 52,000USD.xls"
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1320
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Users\Public\vbc.exe
      "C:\Users\Public\vbc.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1524
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gQNFKsjfYwz.exe"
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1876
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gQNFKsjfYwz" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD470.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1900
      • C:\Users\Public\vbc.exe
        "C:\Users\Public\vbc.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:1528

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmpD470.tmp

          Filesize

          1KB

          MD5

          737e476324431e4677444861505e29e2

          SHA1

          0b01ec91798cca31f784cee6333eb711af9e5f63

          SHA256

          eee740c749c5ed4245156ebaa5428b9019c48044b86911ce46b41d5317c7c877

          SHA512

          e8072254e9de0e42e49ac78e8412d49673627c05a7e32e2ae0115b679170313ad7e59666804d83f5ac353502e4d563d7437bf0985ea50ff1b1dcf82d839f7d0a

        • C:\Users\Public\vbc.exe

          Filesize

          766KB

          MD5

          0a1c7648ea08ec9716e7a7bae7fbf488

          SHA1

          ab8430d97edda6edba2464db80d8d064c45bc3a1

          SHA256

          9a42f6f94bbb304dc608954e9c5d4a8fbee7a78166fc2bad251fd7f0343114e7

          SHA512

          2105bef1ca4939b1d9b88962067f2920d22cf113005b13d53e2617bb7fa7c314af19371b8e7e8a14834eab49041c19956639f2d74d5f5e30a5e6fe40c1de4b3c

        • C:\Users\Public\vbc.exe

          Filesize

          766KB

          MD5

          0a1c7648ea08ec9716e7a7bae7fbf488

          SHA1

          ab8430d97edda6edba2464db80d8d064c45bc3a1

          SHA256

          9a42f6f94bbb304dc608954e9c5d4a8fbee7a78166fc2bad251fd7f0343114e7

          SHA512

          2105bef1ca4939b1d9b88962067f2920d22cf113005b13d53e2617bb7fa7c314af19371b8e7e8a14834eab49041c19956639f2d74d5f5e30a5e6fe40c1de4b3c

        • C:\Users\Public\vbc.exe

          Filesize

          766KB

          MD5

          0a1c7648ea08ec9716e7a7bae7fbf488

          SHA1

          ab8430d97edda6edba2464db80d8d064c45bc3a1

          SHA256

          9a42f6f94bbb304dc608954e9c5d4a8fbee7a78166fc2bad251fd7f0343114e7

          SHA512

          2105bef1ca4939b1d9b88962067f2920d22cf113005b13d53e2617bb7fa7c314af19371b8e7e8a14834eab49041c19956639f2d74d5f5e30a5e6fe40c1de4b3c

        • \Users\Public\vbc.exe

          Filesize

          766KB

          MD5

          0a1c7648ea08ec9716e7a7bae7fbf488

          SHA1

          ab8430d97edda6edba2464db80d8d064c45bc3a1

          SHA256

          9a42f6f94bbb304dc608954e9c5d4a8fbee7a78166fc2bad251fd7f0343114e7

          SHA512

          2105bef1ca4939b1d9b88962067f2920d22cf113005b13d53e2617bb7fa7c314af19371b8e7e8a14834eab49041c19956639f2d74d5f5e30a5e6fe40c1de4b3c

        • memory/1320-58-0x0000000075D01000-0x0000000075D03000-memory.dmp

          Filesize

          8KB

        • memory/1320-57-0x00000000728DD000-0x00000000728E8000-memory.dmp

          Filesize

          44KB

        • memory/1320-67-0x00000000728DD000-0x00000000728E8000-memory.dmp

          Filesize

          44KB

        • memory/1320-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

        • memory/1320-54-0x000000002FCE1000-0x000000002FCE4000-memory.dmp

          Filesize

          12KB

        • memory/1320-55-0x00000000718F1000-0x00000000718F3000-memory.dmp

          Filesize

          8KB

        • memory/1524-74-0x0000000004E30000-0x0000000004E58000-memory.dmp

          Filesize

          160KB

        • memory/1524-64-0x00000000011E0000-0x00000000012A6000-memory.dmp

          Filesize

          792KB

        • memory/1524-66-0x00000000001E0000-0x00000000001F4000-memory.dmp

          Filesize

          80KB

        • memory/1524-68-0x00000000002A0000-0x00000000002AC000-memory.dmp

          Filesize

          48KB

        • memory/1524-69-0x00000000047A0000-0x0000000004822000-memory.dmp

          Filesize

          520KB

        • memory/1528-80-0x0000000000400000-0x0000000000426000-memory.dmp

          Filesize

          152KB

        • memory/1528-75-0x0000000000400000-0x0000000000426000-memory.dmp

          Filesize

          152KB

        • memory/1528-76-0x0000000000400000-0x0000000000426000-memory.dmp

          Filesize

          152KB

        • memory/1528-78-0x0000000000400000-0x0000000000426000-memory.dmp

          Filesize

          152KB

        • memory/1528-81-0x0000000000400000-0x0000000000426000-memory.dmp

          Filesize

          152KB

        • memory/1528-85-0x0000000000400000-0x0000000000426000-memory.dmp

          Filesize

          152KB

        • memory/1528-87-0x0000000000400000-0x0000000000426000-memory.dmp

          Filesize

          152KB

        • memory/1876-89-0x0000000066440000-0x00000000669EB000-memory.dmp

          Filesize

          5.7MB

        • memory/1876-90-0x0000000004B90000-0x0000000004E62000-memory.dmp

          Filesize

          2.8MB

        • memory/1876-91-0x0000000066440000-0x00000000669EB000-memory.dmp

          Filesize

          5.7MB