Analysis
-
max time kernel
141s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
13-09-2024 20:03
General
-
Target
PackingListU0190219xlsx.vbe
-
Size
14KB
-
MD5
48d02287f3c633ccf96c6f01acd5ca9f
-
SHA1
2ad6405243f648937727731608d638c495b2fe46
-
SHA256
e575a3ecc136ad114643bbd7beb2ffc3d5550fa66955bd2c8f4ef4394e11dc87
-
SHA512
4835bb0f03bfb204e3aba46957af08f02889f7b43c60017151eafc479ba47e6ab50f6caec9cbb07cce4a6a600e6f7c576068d300e65bf762d7cf3cc59673d3c7
-
SSDEEP
384:GA79Z5lXWUBFplgtfcQ///y+KAhxF2asn:Go5lXH9atx//N/TIn
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
juguly.shop - Port:
587 - Username:
[email protected] - Password:
d8GsruZs5Zg6 - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 9 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 7 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PackingListU0190219xlsx.vbe"1⤵
- Blocklisted process makes network request
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\WEOhONLdSgJdcTV.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "1816" "2760" "2700" "2764" "0" "0" "2768" "0" "0" "0" "0" "0"3⤵
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "1452" "2672" "2600" "2676" "0" "0" "2680" "0" "0" "0" "0" "0"3⤵
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\SkipCopy.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5df40ad6dc2a90348acaeea6a74a3a4f3
SHA10199e2dcfb4a84db30333e146fa81eb972f5f900
SHA256518ed9c73d866b77d28d9c1039b0cf07e9c0b5b1eb69193222e88fdc22db037b
SHA5121ca5e6952453f01657f6b1f6683a4b424603b1004f8f7ec55a913fef8622f6a9cdee3ead3263c2cda22adbd7075afc1dc4cefd75d7ac325a9fb21b92be2ed0ca
-
Filesize
3KB
MD59461a7cfb20ff5381df28f51b80c5ef1
SHA1c86c53fca1dcbe307dafbefbb366abf52c9f5eca
SHA256d4af1948337d0deb725f4f2b1fe1a9b60f4519841e28748b11bfd62ccd71e028
SHA512da1e17f67dfebb004ba93d489be504fd7af6d62709ada2581ffa77880baecdaa0015b49d36333d18216d9dc6aad7b0ea2e5bd224d8d3f65ee9b66a05fc45e304
-
Filesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
Filesize
2KB
MD5e471065a1b3dd2a880666e8f93c0299f
SHA1c4bb2ab71b256d7b1665bb857f22cfa6c76b0150
SHA2560b0e6bd2aa2a2296ab8de04d5009393e04d0fb478fcd0fd24f0d3beabef94275
SHA5121724e8f50e5d9414bbbe9fcc5dc4267584dbec57615abc787898b0830460bd0e35f1e27f67a2e1d8010dff10856486178048de0d0679c6e180c4af2a388749a9
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
376B
MD50576f1b64bcc22b174a73377aef8137a
SHA10fc19fd19f6fc836cf8ff4874e27daf6db190bf7
SHA256395a5b1b3881ab2b579de179e98de8ead45a998fb46da27389ecd194d8bf39fa
SHA5127793c569281294e9c50fa93a6b481cd6de177b2fad309cc71a1f92e3dfebd946ce0846e8d775253113b47f9f6c4a54e23759c5598a156e0f63e4fd03ac2f1534
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
217B
MD5e2cf3cd0a15e6ba9b1458ef1fe323061
SHA1b048e615caf1f016b9a7da54b3d3c57640f32c9d
SHA256ff3dfaf6d1532c2b3780d274ff424b3ada3616e3f3d54c956ff487b0b523844e
SHA51215206829fcb027648cfae2a8e6b17c25080c4e9bbdf03ff5c939bf9fcf63e5bf8396c7aa40996841144e96dade483ac48490e65ef21eca1ba0750fafd147fe1c
-
Filesize
6KB
MD584d9c5728faa65d9a2384432cd095c82
SHA1d0f897e36c94d65470aa4771ed7eeda2213bb137
SHA256730dde1fd4a22a955f9454223549cc6c69cedd7992242ce8abf23ed4f142acbc
SHA5121f2517b73b29c090f06725cc0c8a63b3fdd86a51bedcf9b04bd8bf8903d7f259a4d395f63e190fd2ac8072bffc0f579afafff1fcfae54f6d609fc39547de5f84
-
Filesize
6KB
MD5e6a2c0bd04b65736048ae5db30a2b4a5
SHA1e4271fc2c1d8fa66abf8f5a88dbf7975dbec130e
SHA2566318ec468e94bcc6ec8c8df1b9bdd791f83205074f12f8629564af2d035dc321
SHA5124ddbab8da98a17a94d1b5fb5569574af751c4a0102ca89c1bb0ede7fd9484fb9dd737f3c320731a3504fa9772213fda8957b0df1a2cc5d720345804679770cba
-
Filesize
2KB
MD55d19e7489a984fc7bdb1bf2b6cbe00e9
SHA12d82c072b3a9c3d5098879f5ad3d373d9e971146
SHA2564eec31aeeb8c806a0f40bc926644ea34fc2b938f729e834f25eb172aed27bb5c
SHA512074ee8cc31fd31d0c251c69e46b6c8f81aa00b8fdb049efa46eddbff0aee4f1ae21ced405068a19dad214945baba4270babc1368394c1981dfaa5b1459755cf1
-
Filesize
2KB
MD539420007c03867df6c39fa89fd18df5c
SHA18e420eae009ec34c32eaa735b3785764a6f086ec
SHA256f763a491d2417dd31f947cdc5fd92a18b8f3af533280b35da9e7ea38473ea4db
SHA512be0de00a1f29e84e0c59870376be0c2664e0c2d22fe80cf7cf5a865f206341387de798e245e5fa4de4b7ebe1cd4517e89028de949b41208aaa49979f3ddf4a2a
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
472KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
272KB
-
Filesize
136KB
-
Filesize
152KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
320KB
-
Filesize
1.8MB
-
Filesize
584KB
-
Filesize
40KB