Overview

overview

10

Static

static

1

511c823134...18.rtf

windows7-x64

10

511c823134...18.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    118s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-07-2024 01:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    511c82313461b74fe24201d13dead6a280311d248062e09a465eb950502d1c18.rtf

  • Size

    415KB

  • MD5

    ff06a87dd0550386be1f780d560f1877

  • SHA1

    69e95738ec635520a508f7424a759261e5032cb0

  • SHA256

    511c82313461b74fe24201d13dead6a280311d248062e09a465eb950502d1c18

  • SHA512

    60e39f9628edbcb5118d53a2887c8f4879260d1d480a6a25960d58366fef2ca248b7115b521ff7de57c61063c1c35da0ac318fc22ad472b38b0cf34ecfd2534c

  • SSDEEP

    6144:PGuqGuqGuqGuqGuqGuqGuqGuqGuqGuqGuVhG+qMh9c:xe

Score
10/10
snakekeyloggercollectionexecutionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    mail.artefes.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ArtEfes4765*+

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 5 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\511c82313461b74fe24201d13dead6a280311d248062e09a465eb950502d1c18.rtf"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2800
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Users\Admin\AppData\Roaming\obie8920193.exe
        "C:\Users\Admin\AppData\Roaming\obie8920193.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2708
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\obie8920193.exe"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1208
        • C:\Users\Admin\AppData\Roaming\obie8920193.exe
          "C:\Users\Admin\AppData\Roaming\obie8920193.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:1308

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Exploitation for Client Execution

    1
    T1203

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Unsecured Credentials

    2
    T1552

    Credentials In Files

    2
    T1552.001

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      1f76a10a8fa8cf35fc5cd91d6b43e472

      SHA1

      a5cbd38533ff6aa55bb0463073cdea16222fd976

      SHA256

      eeb2538d2cef26c93b3d7161ffbb7ee82e4763582954e810d05f52e3affb3b9f

      SHA512

      b0eb2fa28e05e70c3b4966065cafc399744fba217d9717fbd2a4371e674d6899139bab3d9d1293fc26f681bd5ed16972ebc3faa557e4d289dc74699bee3ba705

      Download Submit
    • \Users\Admin\AppData\Roaming\obie8920193.exe
      Filesize

      541KB

      MD5

      dbdacf479a9dd40133701e06e6dc401c

      SHA1

      5e78767cf2498d34fc27674ff326f2a7ce5ab2a3

      SHA256

      a597f53ed7d5e4cc1af67800969953f431c7c99467d75a42e3db360d7302283c

      SHA512

      f46d0fce9ad0e9c4a9142e53d02aa903dc082872068dea6597c8d22e6154f25976a309815a8efd721b5451ceb3646976d69e664db261becd18f250b8fdaa89a6

      Download Submit
    • memory/1208-57-0x00000000002A0000-0x00000000002A9000-memory.dmp
      Filesize

      36KB

      Download
    • memory/1308-42-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

      Download
    • memory/1308-48-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

      Download
    • memory/1308-44-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

      Download
    • memory/1308-46-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

      Download
    • memory/1308-51-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

      Download
    • memory/1308-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1308-54-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

      Download
    • memory/1308-53-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

      Download
    • memory/2708-41-0x0000000002170000-0x00000000021D8000-memory.dmp
      Filesize

      416KB

      Download
    • memory/2708-32-0x0000000000930000-0x00000000009B8000-memory.dmp
      Filesize

      544KB

      Download
    • memory/2708-40-0x0000000000660000-0x000000000066C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/2708-38-0x00000000005B0000-0x00000000005C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3068-0-0x000000002FB61000-0x000000002FB62000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3068-2-0x00000000717CD000-0x00000000717D8000-memory.dmp
      Filesize

      44KB

      Download
    • memory/3068-58-0x00000000717CD000-0x00000000717D8000-memory.dmp
      Filesize

      44KB

      Download
    • memory/3068-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3068-79-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download