snakekeylogger | 0cabd94f0a906814f15908d2349fddb421d3e15d4879f8cd993c7c518d954ddd

Analysis

max time kernel
108s
max time network
109s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
20-02-2023 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cabd94f0a906814f15908d2349fddb421d3e15d4879f8cd993c7c518d954ddd.docx
Size

10KB
MD5

73eb1fe347f4570fa1fbcbd6b5130f54
SHA1

dc5df0f94c44ad73c16df705f042a88c21f641cc
SHA256

0cabd94f0a906814f15908d2349fddb421d3e15d4879f8cd993c7c518d954ddd
SHA512

2cf93df5e0cf20037629f5ff99f0969031ac09aa12f1e3e2361f9b2b7852023228fea71684d137e721856bc844aebe210370c2bcc8b801452820fdb3f405a175
SSDEEP

192:ScIMmtP0xfUW70vG/b3kgOi4OLO7qus+1pReDnc37FSR:SPX+si10ni4OnyeDnMJ2

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
citalmet.com.ar
Port:
587
Username:
log@citalmet.com.ar
Password:
payment@123

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/616-160-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/616-159-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/616-162-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/616-165-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/616-167-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/616-168-0x0000000004BF0000-0x0000000004C30000-memory.dmp	family_snakekeylogger
behavioral1/memory/616-196-0x0000000004BF0000-0x0000000004C30000-memory.dmp	family_snakekeylogger

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1092 EQNEDT32.EXE
Downloads MZ/PE file

flow	pid	process
7	1092	EQNEDT32.EXE

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Common\Offline\Files\http://1755848856/O__O.DOC	WINWORD.EXE

Executes dropped EXE 2 IoCs

Processes:

vbc.exevbc.exe

pid process

1768 vbc.exe
616 vbc.exe
Loads dropped DLL 2 IoCs

Processes:

EQNEDT32.EXE

pid process

1092 EQNEDT32.EXE
1092 EQNEDT32.EXE
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1768	vbc.exe
616	vbc.exe

pid	process
1092	EQNEDT32.EXE
1092	EQNEDT32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

vbc.exe

description pid process target process

PID 1768 set thread context of 616 1768 vbc.exe vbc.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1092 EQNEDT32.EXE

flow	ioc
11	checkip.dyndns.org

description	pid	process	target process
PID 1768 set thread context of 616	1768	vbc.exe	vbc.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1092	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1368 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

vbc.exevbc.exe

pid process

1768 vbc.exe
1768 vbc.exe
1768 vbc.exe
1768 vbc.exe
1768 vbc.exe
1768 vbc.exe
1768 vbc.exe
616 vbc.exe
616 vbc.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vbc.exevbc.exeWINWORD.EXE

description pid process

Token: SeDebugPrivilege 1768 vbc.exe
Token: SeDebugPrivilege 616 vbc.exe
Token: SeShutdownPrivilege 1368 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1368 WINWORD.EXE
1368 WINWORD.EXE

pid	process
1368	WINWORD.EXE

pid	process
1768	vbc.exe
1768	vbc.exe
1768	vbc.exe
1768	vbc.exe
1768	vbc.exe
1768	vbc.exe
1768	vbc.exe
616	vbc.exe
616	vbc.exe

description	pid	process
Token: SeDebugPrivilege	1768	vbc.exe
Token: SeDebugPrivilege	616	vbc.exe
Token: SeShutdownPrivilege	1368	WINWORD.EXE

pid	process
1368	WINWORD.EXE
1368	WINWORD.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exe

description	pid	process	target process
PID 1092 wrote to memory of 1768	1092	EQNEDT32.EXE	vbc.exe
PID 1092 wrote to memory of 1768	1092	EQNEDT32.EXE	vbc.exe
PID 1092 wrote to memory of 1768	1092	EQNEDT32.EXE	vbc.exe
PID 1092 wrote to memory of 1768	1092	EQNEDT32.EXE	vbc.exe
PID 1368 wrote to memory of 1552	1368	WINWORD.EXE	splwow64.exe
PID 1368 wrote to memory of 1552	1368	WINWORD.EXE	splwow64.exe
PID 1368 wrote to memory of 1552	1368	WINWORD.EXE	splwow64.exe
PID 1368 wrote to memory of 1552	1368	WINWORD.EXE	splwow64.exe
PID 1768 wrote to memory of 616	1768	vbc.exe	vbc.exe
PID 1768 wrote to memory of 616	1768	vbc.exe	vbc.exe
PID 1768 wrote to memory of 616	1768	vbc.exe	vbc.exe
PID 1768 wrote to memory of 616	1768	vbc.exe	vbc.exe
PID 1768 wrote to memory of 616	1768	vbc.exe	vbc.exe
PID 1768 wrote to memory of 616	1768	vbc.exe	vbc.exe
PID 1768 wrote to memory of 616	1768	vbc.exe	vbc.exe
PID 1768 wrote to memory of 616	1768	vbc.exe	vbc.exe
PID 1768 wrote to memory of 616	1768	vbc.exe	vbc.exe

outlook_office_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

outlook_win_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0cabd94f0a906814f15908d2349fddb421d3e15d4879f8cd993c7c518d954ddd.docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1552

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1092

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{2E5B0EE7-0577-42B8-AD44-7AEE250D93C5}.FSD
Filesize
128KB

MD5
59ac1f7b638c58d64b5d6fa78dda4e9a

SHA1
e94db566c8d0edd706f0bbf38f61b88e5f2028e3

SHA256
c8aab6348798334b86f7e0f60799f8a53f16d2b0ab8520b037f40c699e77873f

SHA512
c7af6d05d9fc0315c57ea2a6717f4d258e81685171f9f08da89628070285d9f1349c73448c9a7407b9909139a3e960954d7cae7e2b1213c2db565f9934b3df20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
e3bd952d1334e9ab97cfd9318811a18f

SHA1
dbff0fc52f12b8f28871f0998655eaf66ea93297

SHA256
55ae54d1c0c918ce12bb2304f8ca4a2af366affef88545b59fa6e77e32581c38

SHA512
392a4b81e6d019ba44a75365d22c7a6bd8c55df875f6fdd0c4dc94994f5ea631bd83fa232e41e4fb7a75597133b492e9ed93c10aea2da60d33843e4fd9cc1d96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TAR9OKL9\O__O[1].doc
Filesize
17KB

MD5
bb305858814d868425bd5d85e202991b

SHA1
4c152743525f39a16e56f9bd15e8a0924044355d

SHA256
4da95ef6e49749b7b925c11ad25822791179a009f87ff46b3507322c0bff086a

SHA512
e908ccac56e65472fb724189012619be8a92a20e6ae731a3517b0a7203f96ecc76d0c9d4943cbc8cda6edd45a69f10d23ea268f22abf34d5d3e770ceadfe36fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\{87CA871C-DE77-40F4-AAB1-F9F0FF16AE74}
Filesize
128KB

MD5
422846c17962bd8db1332fd086409874

SHA1
e33462bac4afdcaa1c6173296b062514502ed643

SHA256
582afa91c9cb76f2d87c089fc705ee24022cbbd170da96d77fc74e9c25a60a4a

SHA512
a3fe3749462387a68eea344c340d887eb9b9bbe68ed74248febfc5b1b9c90033f368a527febfc2801df678472378ddf983095d0f95f1dafff2e6abe297f5a4cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
563179a1471860b777820d432c8fcb78

SHA1
27c3fbc80fdc733123b2cc8025be133e3daffdf7

SHA256
01580a28b8fbaca26b5b8461c927c476bad1fc88fc5e1e6ed83cf2a12c8a7e1a

SHA512
772f0afbee05a16b73866d6506df34ff58ef8338ca58587a38a520796e042399a0d5ee31fbd561956da093f157191d52d12d57c1ab01786f456be92c2b39dcaf

Download Submit
C:\Users\Public\vbc.exe
Filesize
978KB

MD5
a0637f11f853be8f538885daccbea677

SHA1
d970b69bbc89f1246e46907e0fdbaf5392e4d4da

SHA256
180a541d61bfa4fda318457b0f16f159671b14305b5993e13b4d63c649eed2cb

SHA512
75b89af63b7a0d097c10ee61ee8c1b4f84d355c0ef8ba5d7286e9adb359692974b9cc4c486dfb0d7ad0f3cbc122d936b293af05362a356883fac70cdfbfb7afc

Download Submit
C:\Users\Public\vbc.exe
Filesize
978KB

MD5
a0637f11f853be8f538885daccbea677

SHA1
d970b69bbc89f1246e46907e0fdbaf5392e4d4da

SHA256
180a541d61bfa4fda318457b0f16f159671b14305b5993e13b4d63c649eed2cb

SHA512
75b89af63b7a0d097c10ee61ee8c1b4f84d355c0ef8ba5d7286e9adb359692974b9cc4c486dfb0d7ad0f3cbc122d936b293af05362a356883fac70cdfbfb7afc

Download Submit
C:\Users\Public\vbc.exe
Filesize
978KB

MD5
a0637f11f853be8f538885daccbea677

SHA1
d970b69bbc89f1246e46907e0fdbaf5392e4d4da

SHA256
180a541d61bfa4fda318457b0f16f159671b14305b5993e13b4d63c649eed2cb

SHA512
75b89af63b7a0d097c10ee61ee8c1b4f84d355c0ef8ba5d7286e9adb359692974b9cc4c486dfb0d7ad0f3cbc122d936b293af05362a356883fac70cdfbfb7afc

Download Submit
C:\Users\Public\vbc.exe
Filesize
978KB

MD5
a0637f11f853be8f538885daccbea677

SHA1
d970b69bbc89f1246e46907e0fdbaf5392e4d4da

SHA256
180a541d61bfa4fda318457b0f16f159671b14305b5993e13b4d63c649eed2cb

SHA512
75b89af63b7a0d097c10ee61ee8c1b4f84d355c0ef8ba5d7286e9adb359692974b9cc4c486dfb0d7ad0f3cbc122d936b293af05362a356883fac70cdfbfb7afc

Download Submit
\Users\Public\vbc.exe
Filesize
978KB

MD5
a0637f11f853be8f538885daccbea677

SHA1
d970b69bbc89f1246e46907e0fdbaf5392e4d4da

SHA256
180a541d61bfa4fda318457b0f16f159671b14305b5993e13b4d63c649eed2cb

SHA512
75b89af63b7a0d097c10ee61ee8c1b4f84d355c0ef8ba5d7286e9adb359692974b9cc4c486dfb0d7ad0f3cbc122d936b293af05362a356883fac70cdfbfb7afc

Download Submit
\Users\Public\vbc.exe
Filesize
978KB

MD5
a0637f11f853be8f538885daccbea677

SHA1
d970b69bbc89f1246e46907e0fdbaf5392e4d4da

SHA256
180a541d61bfa4fda318457b0f16f159671b14305b5993e13b4d63c649eed2cb

SHA512
75b89af63b7a0d097c10ee61ee8c1b4f84d355c0ef8ba5d7286e9adb359692974b9cc4c486dfb0d7ad0f3cbc122d936b293af05362a356883fac70cdfbfb7afc

Download Submit
memory/616-161-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/616-165-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/616-196-0x0000000004BF0000-0x0000000004C30000-memory.dmp

Filesize
256KB

Download
memory/616-168-0x0000000004BF0000-0x0000000004C30000-memory.dmp

Filesize
256KB

Download
memory/616-167-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/616-162-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/616-157-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/616-158-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/616-160-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/616-159-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1368-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1368-195-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1768-145-0x0000000000650000-0x0000000000690000-memory.dmp

Filesize
256KB

Download
memory/1768-156-0x0000000000B90000-0x0000000000BBA000-memory.dmp

Filesize
168KB

Download
memory/1768-146-0x00000000004A0000-0x00000000004B6000-memory.dmp

Filesize
88KB

Download
memory/1768-155-0x0000000007F40000-0x0000000007FEE000-memory.dmp

Filesize
696KB

Download
memory/1768-154-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/1768-144-0x0000000001160000-0x000000000125C000-memory.dmp

Filesize
1008KB

Download
memory/1768-153-0x0000000000650000-0x0000000000690000-memory.dmp

Filesize
256KB

Download