snakekeylogger | 77f0075657d4275615fc35fa3008ed59f05a0b4e6fb785af1fd236b3abc0d1b4

Analysis

max time kernel
143s
max time network
117s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
28-03-2023 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

invoice.xls
Size

1.3MB
MD5

ccd88bef786f8ea5476f550b4bf3328a
SHA1

eb36320094269ca0e3c7ebcb8405b2d41ec35bf2
SHA256

77f0075657d4275615fc35fa3008ed59f05a0b4e6fb785af1fd236b3abc0d1b4
SHA512

8cddfd64a141365c9d13b2d0ed329bc4fc21a2d2c623d51b7c29b62c7eb2e9233bc0129df8603f9c1b3a8a0ee6965e84f3100edefcff9f15639ff0d721f66242
SSDEEP

24576:WLK+WQmmav30xMSSMMednErP6bvdXXXXXXXXXXXXUXXXXXXXXXXXXXXXXXpSSMM5:WLKzQmmQ30uMM6uMsR6lr3DGbP

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1920-85-0x0000000000400000-0x0000000000437000-memory.dmp	family_snakekeylogger
behavioral1/memory/1920-89-0x0000000000400000-0x0000000000437000-memory.dmp	family_snakekeylogger
behavioral1/memory/1920-90-0x0000000000400000-0x0000000000437000-memory.dmp	family_snakekeylogger
behavioral1/memory/1920-91-0x00000000003D0000-0x00000000003F6000-memory.dmp	family_snakekeylogger
behavioral1/memory/1920-92-0x00000000020F0000-0x0000000002130000-memory.dmp	family_snakekeylogger

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

3 928 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

vbc.exefzutvwnon.exefzutvwnon.exe

pid process

1612 vbc.exe
1976 fzutvwnon.exe
1920 fzutvwnon.exe
Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXEvbc.exefzutvwnon.exe

pid process

928 EQNEDT32.EXE
1612 vbc.exe
1612 vbc.exe
1976 fzutvwnon.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
3	928	EQNEDT32.EXE

pid	process
1612	vbc.exe
1976	fzutvwnon.exe
1920	fzutvwnon.exe

pid	process
928	EQNEDT32.EXE
1612	vbc.exe
1612	vbc.exe
1976	fzutvwnon.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

fzutvwnon.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	fzutvwnon.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	fzutvwnon.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	fzutvwnon.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

fzutvwnon.exe

description pid process target process

PID 1976 set thread context of 1920 1976 fzutvwnon.exe fzutvwnon.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

928 EQNEDT32.EXE

flow	ioc
4	checkip.dyndns.org

description	pid	process	target process
PID 1976 set thread context of 1920	1976	fzutvwnon.exe	fzutvwnon.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
928	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2028 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

fzutvwnon.exe

pid process

1920 fzutvwnon.exe
1920 fzutvwnon.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

fzutvwnon.exe

pid process

1976 fzutvwnon.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

fzutvwnon.exe

description pid process

Token: SeDebugPrivilege 1920 fzutvwnon.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

2028 EXCEL.EXE
2028 EXCEL.EXE
2028 EXCEL.EXE

pid	process
2028	EXCEL.EXE

pid	process
1920	fzutvwnon.exe
1920	fzutvwnon.exe

pid	process
1976	fzutvwnon.exe

description	pid	process
Token: SeDebugPrivilege	1920	fzutvwnon.exe

pid	process
2028	EXCEL.EXE
2028	EXCEL.EXE
2028	EXCEL.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

EQNEDT32.EXEvbc.exefzutvwnon.exe

description	pid	process	target process
PID 928 wrote to memory of 1612	928	EQNEDT32.EXE	vbc.exe
PID 928 wrote to memory of 1612	928	EQNEDT32.EXE	vbc.exe
PID 928 wrote to memory of 1612	928	EQNEDT32.EXE	vbc.exe
PID 928 wrote to memory of 1612	928	EQNEDT32.EXE	vbc.exe
PID 1612 wrote to memory of 1976	1612	vbc.exe	fzutvwnon.exe
PID 1612 wrote to memory of 1976	1612	vbc.exe	fzutvwnon.exe
PID 1612 wrote to memory of 1976	1612	vbc.exe	fzutvwnon.exe
PID 1612 wrote to memory of 1976	1612	vbc.exe	fzutvwnon.exe
PID 1976 wrote to memory of 1920	1976	fzutvwnon.exe	fzutvwnon.exe
PID 1976 wrote to memory of 1920	1976	fzutvwnon.exe	fzutvwnon.exe
PID 1976 wrote to memory of 1920	1976	fzutvwnon.exe	fzutvwnon.exe
PID 1976 wrote to memory of 1920	1976	fzutvwnon.exe	fzutvwnon.exe
PID 1976 wrote to memory of 1920	1976	fzutvwnon.exe	fzutvwnon.exe

outlook_office_path 1 IoCs

Processes:

fzutvwnon.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	fzutvwnon.exe

outlook_win_path 1 IoCs

Processes:

fzutvwnon.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	fzutvwnon.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\invoice.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2028

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:928

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612

C:\Users\Admin\AppData\Local\Temp\fzutvwnon.exe
"C:\Users\Admin\AppData\Local\Temp\fzutvwnon.exe" C:\Users\Admin\AppData\Local\Temp\amhfv.r
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Admin\AppData\Local\Temp\fzutvwnon.exe
"C:\Users\Admin\AppData\Local\Temp\fzutvwnon.exe"
4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3DC6A8B2.emf
Filesize
249KB

MD5
1a7fbc59e6099e8c42e1f3ea1fc1e57c

SHA1
069f119c72e0cf9fbb1149b7c55627bc5da20a89

SHA256
59309207b0a12b350fa5936f92c9cc1102fcacbb977717edc979fec025ae708f

SHA512
669c1e823eb91fb5ea8c76ee16dcfc8ee415421871b9d7035dbc1a234712b9e80311b21d8aeb61f99c69367c279774e54c56870cede82916b551add45e073ed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C3AF7D0B.emf
Filesize
1.4MB

MD5
d69c22a341e111feea69df6d8c655d60

SHA1
ac862337f2efa43627508927f5052ce694012206

SHA256
05b2053bf1d070d6034b45cd79b54d80da3c6d88d016671a345e75048b1a68db

SHA512
d4db33ed046b3c9ba09c4b3feac17b1fe2e75fce67f4154fd795d504708c295a1e3c8331ed3d6c3ee9950c936c4cc25b5d690558c26f2e1f7771bd5eb275822c

Download Submit
C:\Users\Admin\AppData\Local\Temp\amhfv.r
Filesize
6KB

MD5
5385c914ba21e2acd3ed22e8e8cb531d

SHA1
41af2470ddf143003b0a5e7e30228bb2925053d0

SHA256
ed30c27eb637febd67dc4c5ae3714e88f12b0871543d774ae9ce64f4fb4c36fd

SHA512
1fa6c8c7dd10ef32882568f157aa410674dd86981205393df30f055fb755d7dc07364016d44e5e636befeb32258020cd16288fac863e6acdca6c00c032ac8238

Download Submit
C:\Users\Admin\AppData\Local\Temp\fzutvwnon.exe
Filesize
138KB

MD5
5ae5136cf30b0ac8348fd79052c86b0c

SHA1
0db2a625e6e7ebdcee5cd3c5cbe583d56bb236ea

SHA256
a59f2e2032ab0c2c6ced4498f8d88c50b3a7d677b7cb977fb3fcca6838ebef1e

SHA512
86444ede91ad600a9943b1bc42a670d2f2a874c1a99d32fb83c851c219ca23e2f2c1ecc896c295b2af970392cca72d2406ff2a006e7333120308737e61ba76b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\fzutvwnon.exe
Filesize
138KB

MD5
5ae5136cf30b0ac8348fd79052c86b0c

SHA1
0db2a625e6e7ebdcee5cd3c5cbe583d56bb236ea

SHA256
a59f2e2032ab0c2c6ced4498f8d88c50b3a7d677b7cb977fb3fcca6838ebef1e

SHA512
86444ede91ad600a9943b1bc42a670d2f2a874c1a99d32fb83c851c219ca23e2f2c1ecc896c295b2af970392cca72d2406ff2a006e7333120308737e61ba76b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\fzutvwnon.exe
Filesize
138KB

MD5
5ae5136cf30b0ac8348fd79052c86b0c

SHA1
0db2a625e6e7ebdcee5cd3c5cbe583d56bb236ea

SHA256
a59f2e2032ab0c2c6ced4498f8d88c50b3a7d677b7cb977fb3fcca6838ebef1e

SHA512
86444ede91ad600a9943b1bc42a670d2f2a874c1a99d32fb83c851c219ca23e2f2c1ecc896c295b2af970392cca72d2406ff2a006e7333120308737e61ba76b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\fzutvwnon.exe
Filesize
138KB

MD5
5ae5136cf30b0ac8348fd79052c86b0c

SHA1
0db2a625e6e7ebdcee5cd3c5cbe583d56bb236ea

SHA256
a59f2e2032ab0c2c6ced4498f8d88c50b3a7d677b7cb977fb3fcca6838ebef1e

SHA512
86444ede91ad600a9943b1bc42a670d2f2a874c1a99d32fb83c851c219ca23e2f2c1ecc896c295b2af970392cca72d2406ff2a006e7333120308737e61ba76b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ujutoge.pl
Filesize
225KB

MD5
ac99a9fb725cf4377037eb3a4f9c6990

SHA1
015488a0284f3141ee2a22cfff267fa330f07a9f

SHA256
dc05a51ed6fde34cb631f3cc1a61762cb165f86e0b8db5f66db455cd8d9ce78c

SHA512
4578355428502a2798a252de5c0b70f0a4598902c3be1732fe7c54ae13a4f4f24c3cb72fcf5b04ac5ae3bf7cf00a2280f73135dcbd8dcb4bc315d8ef02ed55dc

Download Submit
C:\Users\Public\vbc.exe
Filesize
284KB

MD5
3d5458f26b59708a5d0da5567189aa41

SHA1
826bcb30b6bb04c549caf271b447710b015e316f

SHA256
f1a4fd0ba166dd905af0029c7f759f23c52481e050fa067d4a8ac6866d71090d

SHA512
205741a7c70a90bdaf955c083d65a54776fa62b1af6714ecd902a0c5f9b3fbc804675d96e582b35990b18f5b22ac78d3e050ac2496b8d4512a350b8cbb9dd465

Download Submit
C:\Users\Public\vbc.exe
Filesize
284KB

MD5
3d5458f26b59708a5d0da5567189aa41

SHA1
826bcb30b6bb04c549caf271b447710b015e316f

SHA256
f1a4fd0ba166dd905af0029c7f759f23c52481e050fa067d4a8ac6866d71090d

SHA512
205741a7c70a90bdaf955c083d65a54776fa62b1af6714ecd902a0c5f9b3fbc804675d96e582b35990b18f5b22ac78d3e050ac2496b8d4512a350b8cbb9dd465

Download Submit
C:\Users\Public\vbc.exe
Filesize
284KB

MD5
3d5458f26b59708a5d0da5567189aa41

SHA1
826bcb30b6bb04c549caf271b447710b015e316f

SHA256
f1a4fd0ba166dd905af0029c7f759f23c52481e050fa067d4a8ac6866d71090d

SHA512
205741a7c70a90bdaf955c083d65a54776fa62b1af6714ecd902a0c5f9b3fbc804675d96e582b35990b18f5b22ac78d3e050ac2496b8d4512a350b8cbb9dd465

Download Submit
\Users\Admin\AppData\Local\Temp\fzutvwnon.exe
Filesize
138KB

MD5
5ae5136cf30b0ac8348fd79052c86b0c

SHA1
0db2a625e6e7ebdcee5cd3c5cbe583d56bb236ea

SHA256
a59f2e2032ab0c2c6ced4498f8d88c50b3a7d677b7cb977fb3fcca6838ebef1e

SHA512
86444ede91ad600a9943b1bc42a670d2f2a874c1a99d32fb83c851c219ca23e2f2c1ecc896c295b2af970392cca72d2406ff2a006e7333120308737e61ba76b9

Download Submit
\Users\Admin\AppData\Local\Temp\fzutvwnon.exe
Filesize
138KB

MD5
5ae5136cf30b0ac8348fd79052c86b0c

SHA1
0db2a625e6e7ebdcee5cd3c5cbe583d56bb236ea

SHA256
a59f2e2032ab0c2c6ced4498f8d88c50b3a7d677b7cb977fb3fcca6838ebef1e

SHA512
86444ede91ad600a9943b1bc42a670d2f2a874c1a99d32fb83c851c219ca23e2f2c1ecc896c295b2af970392cca72d2406ff2a006e7333120308737e61ba76b9

Download Submit
\Users\Admin\AppData\Local\Temp\fzutvwnon.exe
Filesize
138KB

MD5
5ae5136cf30b0ac8348fd79052c86b0c

SHA1
0db2a625e6e7ebdcee5cd3c5cbe583d56bb236ea

SHA256
a59f2e2032ab0c2c6ced4498f8d88c50b3a7d677b7cb977fb3fcca6838ebef1e

SHA512
86444ede91ad600a9943b1bc42a670d2f2a874c1a99d32fb83c851c219ca23e2f2c1ecc896c295b2af970392cca72d2406ff2a006e7333120308737e61ba76b9

Download Submit
\Users\Public\vbc.exe
Filesize
284KB

MD5
3d5458f26b59708a5d0da5567189aa41

SHA1
826bcb30b6bb04c549caf271b447710b015e316f

SHA256
f1a4fd0ba166dd905af0029c7f759f23c52481e050fa067d4a8ac6866d71090d

SHA512
205741a7c70a90bdaf955c083d65a54776fa62b1af6714ecd902a0c5f9b3fbc804675d96e582b35990b18f5b22ac78d3e050ac2496b8d4512a350b8cbb9dd465

Download Submit
memory/1920-95-0x00000000020F0000-0x0000000002130000-memory.dmp

Filesize
256KB

Download
memory/1920-91-0x00000000003D0000-0x00000000003F6000-memory.dmp

Filesize
152KB

Download
memory/1920-85-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1920-93-0x00000000020F0000-0x0000000002130000-memory.dmp

Filesize
256KB

Download
memory/1920-92-0x00000000020F0000-0x0000000002130000-memory.dmp

Filesize
256KB

Download
memory/1920-90-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1920-89-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2028-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2028-107-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download