Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30-09-2024 09:01
Static task
static1
Behavioral task
behavioral1
Sample
Ref227982472 3611316041 有害物情報.Xlsx.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Ref227982472 3611316041 有害物情報.Xlsx.exe
Resource
win10v2004-20240802-en
General
-
Target
Ref227982472 3611316041 有害物情報.Xlsx.exe
-
Size
644KB
-
MD5
2055e529b8767f5ebaee9afcefd16d91
-
SHA1
521d53678fbba3951f19dd2cfed6e4b0d5ef8914
-
SHA256
550aeabbe62d5a14363bac014c16acb456fd2d92ea227d5762a85a51466e3404
-
SHA512
e98333277ff85e147feb5efea6f0376bfbb2cd9bfa361337fdc40c5c211c626b8e7728326d40158e423b33f31eec0cdde3314dee8c19aa82042c747e6aaf01a3
-
SSDEEP
12288:gUxKiiSUMD8mBsdNnyVyPziLeSAkJuf3TBtN:gUxchMAfdgVUziqSAmud3
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
resource yara_rule behavioral1/memory/1528-71-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1528-68-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1528-66-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1528-73-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1528-74-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2768 powershell.exe 2072 powershell.exe 1052 powershell.exe 2632 powershell.exe -
Executes dropped EXE 3 IoCs
pid Process 2136 sCWlgOWYFciIYD.exe 1160 sCWlgOWYFciIYD.exe 1528 sCWlgOWYFciIYD.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 sCWlgOWYFciIYD.exe Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 sCWlgOWYFciIYD.exe Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 sCWlgOWYFciIYD.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\system32\taskschd.msc mmc.exe File opened for modification C:\Windows\system32\taskschd.msc mmc.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2136 set thread context of 1528 2136 sCWlgOWYFciIYD.exe 52 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 784 1992 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sCWlgOWYFciIYD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sCWlgOWYFciIYD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ref227982472 3611316041 有害物情報.Xlsx.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2608 schtasks.exe 1208 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1992 Ref227982472 3611316041 有害物情報.Xlsx.exe 1992 Ref227982472 3611316041 有害物情報.Xlsx.exe 1992 Ref227982472 3611316041 有害物情報.Xlsx.exe 2768 powershell.exe 2632 powershell.exe 1992 Ref227982472 3611316041 有害物情報.Xlsx.exe 2136 sCWlgOWYFciIYD.exe 2136 sCWlgOWYFciIYD.exe 2136 sCWlgOWYFciIYD.exe 1052 powershell.exe 2072 powershell.exe 2136 sCWlgOWYFciIYD.exe 1528 sCWlgOWYFciIYD.exe 1528 sCWlgOWYFciIYD.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1792 mmc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: 33 2788 mmc.exe Token: SeIncBasePriorityPrivilege 2788 mmc.exe Token: 33 2788 mmc.exe Token: SeIncBasePriorityPrivilege 2788 mmc.exe Token: 33 2788 mmc.exe Token: SeIncBasePriorityPrivilege 2788 mmc.exe Token: 33 2788 mmc.exe Token: SeIncBasePriorityPrivilege 2788 mmc.exe Token: 33 2788 mmc.exe Token: SeIncBasePriorityPrivilege 2788 mmc.exe Token: 33 2788 mmc.exe Token: SeIncBasePriorityPrivilege 2788 mmc.exe Token: 33 2788 mmc.exe Token: SeIncBasePriorityPrivilege 2788 mmc.exe Token: 33 2788 mmc.exe Token: SeIncBasePriorityPrivilege 2788 mmc.exe Token: 33 2788 mmc.exe Token: SeIncBasePriorityPrivilege 2788 mmc.exe Token: 33 2788 mmc.exe Token: SeIncBasePriorityPrivilege 2788 mmc.exe Token: 33 2788 mmc.exe Token: SeIncBasePriorityPrivilege 2788 mmc.exe Token: 33 2788 mmc.exe Token: SeIncBasePriorityPrivilege 2788 mmc.exe Token: 33 2788 mmc.exe Token: SeIncBasePriorityPrivilege 2788 mmc.exe Token: 33 2788 mmc.exe Token: SeIncBasePriorityPrivilege 2788 mmc.exe Token: 33 2788 mmc.exe Token: SeIncBasePriorityPrivilege 2788 mmc.exe Token: 33 2788 mmc.exe Token: SeIncBasePriorityPrivilege 2788 mmc.exe Token: 33 2788 mmc.exe Token: SeIncBasePriorityPrivilege 2788 mmc.exe Token: 33 2788 mmc.exe Token: SeIncBasePriorityPrivilege 2788 mmc.exe Token: 33 2788 mmc.exe Token: SeIncBasePriorityPrivilege 2788 mmc.exe Token: 33 2788 mmc.exe Token: SeIncBasePriorityPrivilege 2788 mmc.exe Token: 33 2788 mmc.exe Token: SeIncBasePriorityPrivilege 2788 mmc.exe Token: 33 2788 mmc.exe Token: SeIncBasePriorityPrivilege 2788 mmc.exe Token: 33 2788 mmc.exe Token: SeIncBasePriorityPrivilege 2788 mmc.exe Token: 33 2788 mmc.exe Token: SeIncBasePriorityPrivilege 2788 mmc.exe Token: 33 2788 mmc.exe Token: SeIncBasePriorityPrivilege 2788 mmc.exe Token: 33 2788 mmc.exe Token: SeIncBasePriorityPrivilege 2788 mmc.exe Token: 33 2788 mmc.exe Token: SeIncBasePriorityPrivilege 2788 mmc.exe Token: 33 2788 mmc.exe Token: SeIncBasePriorityPrivilege 2788 mmc.exe Token: 33 2788 mmc.exe Token: SeIncBasePriorityPrivilege 2788 mmc.exe Token: SeDebugPrivilege 1992 Ref227982472 3611316041 有害物情報.Xlsx.exe Token: SeDebugPrivilege 2632 powershell.exe Token: SeDebugPrivilege 2768 powershell.exe Token: 33 1792 mmc.exe Token: SeIncBasePriorityPrivilege 1792 mmc.exe Token: 33 1792 mmc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1792 mmc.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2788 mmc.exe 2788 mmc.exe 1792 mmc.exe 1792 mmc.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 2788 wrote to memory of 2848 2788 mmc.exe 31 PID 2788 wrote to memory of 2848 2788 mmc.exe 31 PID 2788 wrote to memory of 2848 2788 mmc.exe 31 PID 1992 wrote to memory of 2632 1992 Ref227982472 3611316041 有害物情報.Xlsx.exe 32 PID 1992 wrote to memory of 2632 1992 Ref227982472 3611316041 有害物情報.Xlsx.exe 32 PID 1992 wrote to memory of 2632 1992 Ref227982472 3611316041 有害物情報.Xlsx.exe 32 PID 1992 wrote to memory of 2632 1992 Ref227982472 3611316041 有害物情報.Xlsx.exe 32 PID 1992 wrote to memory of 2768 1992 Ref227982472 3611316041 有害物情報.Xlsx.exe 34 PID 1992 wrote to memory of 2768 1992 Ref227982472 3611316041 有害物情報.Xlsx.exe 34 PID 1992 wrote to memory of 2768 1992 Ref227982472 3611316041 有害物情報.Xlsx.exe 34 PID 1992 wrote to memory of 2768 1992 Ref227982472 3611316041 有害物情報.Xlsx.exe 34 PID 1992 wrote to memory of 2608 1992 Ref227982472 3611316041 有害物情報.Xlsx.exe 36 PID 1992 wrote to memory of 2608 1992 Ref227982472 3611316041 有害物情報.Xlsx.exe 36 PID 1992 wrote to memory of 2608 1992 Ref227982472 3611316041 有害物情報.Xlsx.exe 36 PID 1992 wrote to memory of 2608 1992 Ref227982472 3611316041 有害物情報.Xlsx.exe 36 PID 1992 wrote to memory of 784 1992 Ref227982472 3611316041 有害物情報.Xlsx.exe 39 PID 1992 wrote to memory of 784 1992 Ref227982472 3611316041 有害物情報.Xlsx.exe 39 PID 1992 wrote to memory of 784 1992 Ref227982472 3611316041 有害物情報.Xlsx.exe 39 PID 1992 wrote to memory of 784 1992 Ref227982472 3611316041 有害物情報.Xlsx.exe 39 PID 2948 wrote to memory of 2136 2948 taskeng.exe 42 PID 2948 wrote to memory of 2136 2948 taskeng.exe 42 PID 2948 wrote to memory of 2136 2948 taskeng.exe 42 PID 2948 wrote to memory of 2136 2948 taskeng.exe 42 PID 2136 wrote to memory of 2072 2136 sCWlgOWYFciIYD.exe 45 PID 2136 wrote to memory of 2072 2136 sCWlgOWYFciIYD.exe 45 PID 2136 wrote to memory of 2072 2136 sCWlgOWYFciIYD.exe 45 PID 2136 wrote to memory of 2072 2136 sCWlgOWYFciIYD.exe 45 PID 2136 wrote to memory of 1052 2136 sCWlgOWYFciIYD.exe 47 PID 2136 wrote to memory of 1052 2136 sCWlgOWYFciIYD.exe 47 PID 2136 wrote to memory of 1052 2136 sCWlgOWYFciIYD.exe 47 PID 2136 wrote to memory of 1052 2136 sCWlgOWYFciIYD.exe 47 PID 2136 wrote to memory of 1208 2136 sCWlgOWYFciIYD.exe 49 PID 2136 wrote to memory of 1208 2136 sCWlgOWYFciIYD.exe 49 PID 2136 wrote to memory of 1208 2136 sCWlgOWYFciIYD.exe 49 PID 2136 wrote to memory of 1208 2136 sCWlgOWYFciIYD.exe 49 PID 2136 wrote to memory of 1160 2136 sCWlgOWYFciIYD.exe 51 PID 2136 wrote to memory of 1160 2136 sCWlgOWYFciIYD.exe 51 PID 2136 wrote to memory of 1160 2136 sCWlgOWYFciIYD.exe 51 PID 2136 wrote to memory of 1160 2136 sCWlgOWYFciIYD.exe 51 PID 2136 wrote to memory of 1528 2136 sCWlgOWYFciIYD.exe 52 PID 2136 wrote to memory of 1528 2136 sCWlgOWYFciIYD.exe 52 PID 2136 wrote to memory of 1528 2136 sCWlgOWYFciIYD.exe 52 PID 2136 wrote to memory of 1528 2136 sCWlgOWYFciIYD.exe 52 PID 2136 wrote to memory of 1528 2136 sCWlgOWYFciIYD.exe 52 PID 2136 wrote to memory of 1528 2136 sCWlgOWYFciIYD.exe 52 PID 2136 wrote to memory of 1528 2136 sCWlgOWYFciIYD.exe 52 PID 2136 wrote to memory of 1528 2136 sCWlgOWYFciIYD.exe 52 PID 2136 wrote to memory of 1528 2136 sCWlgOWYFciIYD.exe 52 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 sCWlgOWYFciIYD.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 sCWlgOWYFciIYD.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ref227982472 3611316041 有害物情報.Xlsx.exe"C:\Users\Admin\AppData\Local\Temp\Ref227982472 3611316041 有害物情報.Xlsx.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Ref227982472 3611316041 有害物情報.Xlsx.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sCWlgOWYFciIYD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD6EE.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2608
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 10802⤵
- Program crash
PID:784
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 11322⤵PID:2848
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1792
-
C:\Windows\system32\taskeng.exetaskeng.exe {DB39FF5C-3ABF-4429-9F9C-54450932276B} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exeC:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2072
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1052
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sCWlgOWYFciIYD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpACE2.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1208
-
-
C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exe"C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exe"3⤵
- Executes dropped EXE
PID:1160
-
-
C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exe"C:\Users\Admin\AppData\Roaming\sCWlgOWYFciIYD.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:1528
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1772
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59ecc9e925e31fe64fbd3ab1ff693be22
SHA14f2e5dee8b0063246556355354e150a0a2cbc8a8
SHA2564861cea58872e6506461c2b6f06b7dbcfcc046e1c389e237763c927d5c0d7df7
SHA512f67dcabef2a5927b98a235ead7fd73df271688b6b56ababdfec41203f0546b7d382bd52fe1ac2f54fd89ebaa7a99f82615715be0cec30003cf2dcdb9b0635c96
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DNFB7U3DR989M5AZR7NP.temp
Filesize7KB
MD5dc5575d2fdf535a9d7a303d764b2679e
SHA11d7f59170289e1da6c3a8f253b826286354c55cc
SHA2560154cdcfc7c93146f647adee9074b9d951a8b749a9ce1a266ac7393dfd0ccfe3
SHA512423a65bdeffb694a8a6ec9f212cea6b4b1780af9828be8876ebd9f90cf4570e67c2caa366c4b770794876acaa715bbe7b46e3cd69d9134b2b4cfca09516ae8c1
-
Filesize
644KB
MD52055e529b8767f5ebaee9afcefd16d91
SHA1521d53678fbba3951f19dd2cfed6e4b0d5ef8914
SHA256550aeabbe62d5a14363bac014c16acb456fd2d92ea227d5762a85a51466e3404
SHA512e98333277ff85e147feb5efea6f0376bfbb2cd9bfa361337fdc40c5c211c626b8e7728326d40158e423b33f31eec0cdde3314dee8c19aa82042c747e6aaf01a3