Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
04-07-2024 19:37
General
-
Target
OVER DUE INVOICE PAYMENT.docx
-
Size
16KB
-
MD5
9f3fd4e8aa2ad81966d0c2a036d1e901
-
SHA1
80a58393acb58fcc666e56b514994d98ba3f4716
-
SHA256
cd9cf022180c8c6f6c4fb0d76476bf2e9382128d28a4686114c50448934e5381
-
SHA512
1f97f830da19d686d8a41f8be36809fbd245f8720835561730dd10bf7cbefe03f17e77df32c0d9c1333084fb598f718fec3ad69f6d7c9313a139b7faa872a7c1
-
SSDEEP
384:3oyX8glCWUs8PL8wi4OEwH8TIbE91r2fRgJY7viL6CnUaV:Yc8xv5P3DOqnYJu2vq6CnB
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.artefes.com - Port:
587 - Username:
[email protected] - Password:
ArtEfes4765*+
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\OVER DUE INVOICE PAYMENT.docx"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\obi23456.scr"C:\Users\Admin\AppData\Roaming\obi23456.scr"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\obi23456.scr"C:\Users\Admin\AppData\Roaming\obi23456.scr"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12Filesize
1KB
MD52365869258df7a66a2121b802ca4afd9
SHA173acc30a2edeb9d6830de559bb8a74f35168135d
SHA256d6b1932822bbd72a8e78c771717d992142348f67d625a42393719fefbe59b0ed
SHA512795004bab536e128dbd81c188976d37c7b650efbfa5a80374df4c65a1049c27658f4620b7605583928eb167fcb69b4c99e4c8730c507b824a7bde9c7fb0e21f4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8Filesize
436B
MD51bfe0a81db078ea084ff82fe545176fe
SHA150b116f578bd272922fa8eae94f7b02fd3b88384
SHA2565ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f
SHA51237c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12Filesize
174B
MD513e561d1211f89a5d091a53dccc9142c
SHA10c7aba1c3b1619fb9a9e1ffd345995811aa7d7e0
SHA256bd9c8cfa8804b81aae506b27d2b483ff475988fa751c9279016dd5e26860d8bd
SHA512caa7415f0f1d60d6b5161ccf14cdb8de0d10c0a8762efa02ba7dc03cfff938a61e60e90c7801bb18c6f32bce7b026f0decf554e16024ff29c34910dd12ce6383
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5091e8f66ecb361612012d43ec6828a6a
SHA1f029921a8b8a14ae633c3880c31a2163f42915be
SHA25696ed0b3926b05ef27ddb7dcd6b5a5f1cb0955c2041607ff9903b36bfba30c0fe
SHA5123d5ae226a4f43e150fe9ae2c4d2eb0922ceb11cccfdac9ae27986093816954a4335f011495386553af8baef59d793b7b3ec924177294735e149be409ae8b38b4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8Filesize
170B
MD58db8ac022f68cd7e3d535c18b9bae955
SHA189f39e775f74c6e8412494dbe677211cb07b30ae
SHA25603cbc55cf916104a0788913cb1df97c492942b8c9bd9545ce11e43e7c2eb601d
SHA512134881b98bc4441e9a237d1f645adf62123707f25ffecff99280d542563da574ebfeb5372863b861c80deb8d8c23b1f9dac6d21de651ae78a77a53d05dd75c38
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD52eec08ef910f08c89f7b2bb2fd803d75
SHA16f202d7bdb25ec8861475db47279483295a660cc
SHA256b42a20087de14f7a77178a3b4adc53147167f87f2ca6b1b725f3e5c08b6ca71b
SHA512f88fc47a0acd7148ad6eea815d403d97f04016b92f2838624c4ee6701a40f52e8723f7140e4495715d1089aa7291c784cfd745a84f3cf775f77bfb8b8f8b67cb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\528EVS6A\obb[1].docFilesize
536KB
MD53f9a089317afa13a17b61d5e0f95b75e
SHA1f5129818d643fba59bf77bc2785eef2af34db679
SHA25609cc281d7242aeddd2de25d63ef16e9b8d190bd06d31928410fdaef1e5a5c351
SHA5126a73233318865bd82c9a15887421a1197febfb88070216979be9c04f97c9749dae728fd75f3c4d372f4a7c0e834750e3aac4422508bcbbc39d9ec82d9c1822c8
-
C:\Users\Admin\AppData\Local\Temp\Cab2A99.tmpFilesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\Local\Temp\{F5188564-E235-4350-BAE4-6424F5BE973F}Filesize
128KB
MD581be0349d4980996f9a61697e2fe0577
SHA146f467030743c7dcfc6c345d11cf3e1680b83ff8
SHA256cd05dbcb8abdcb1b00ea26c54a3c102a17d823ea1d15276f6c376d3fe06535f3
SHA5128fe4c2bf610c417fa64edfb585d4cf97d1112215c46ade39232b6b46d02cf9821e00da8652aa16f48127bc1bed326e98fac5f17ee0c3aff34129ca7cd552df9c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD568fefc8a40ab9993b00d1102d02b7471
SHA11ac0313336b78d4daa6fb51aac6248e0f8a3e10b
SHA2560fec2290d6c2d864964e8d68bc5beabf4d39fc54d555d37e2756d1c1ae908959
SHA5129322afa82be11aa9d5b27f7bbfa72fedcc805a5eb1dc83e93f6bff297f0ef52dcd87142bbc8d0157323590ac568ecb57f3bdf31c4b6508162b827ed1d4d0de85
-
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lexFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
\Users\Admin\AppData\Roaming\obi23456.scrFilesize
508KB
MD5f7bdadaff67e573f145d2e8e32e32cd8
SHA1cfd1377d49e09ecfa842760dd9cc78cc17a34628
SHA256fe80eeade269ce2b6688e039296fc9e9743e24f881341adad24e220967312316
SHA51225477c0a78d20a43c6cfa7819185c680566c20e6d0c7a65ffecbddc91df9bd91310b6368b849b6f8f6688d85a2c86e3c9af1f68ec4358deb3cc94a6473d3f4c6
-
memory/1756-124-0x0000000000940000-0x0000000000994000-memory.dmpFilesize
336KB
-
memory/1756-129-0x0000000000B30000-0x0000000000B38000-memory.dmpFilesize
32KB
-
memory/1756-122-0x0000000001370000-0x00000000013F6000-memory.dmpFilesize
536KB
-
memory/2884-132-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2884-130-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2884-142-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2884-141-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2884-139-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2884-138-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2884-136-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2884-134-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/3020-0-0x000000002F021000-0x000000002F022000-memory.dmpFilesize
4KB
-
memory/3020-2-0x0000000070B7D000-0x0000000070B88000-memory.dmpFilesize
44KB
-
memory/3020-153-0x0000000070B7D000-0x0000000070B88000-memory.dmpFilesize
44KB
-
memory/3020-1-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/3020-177-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/3020-178-0x0000000070B7D000-0x0000000070B88000-memory.dmpFilesize
44KB