Analysis
-
max time kernel
119s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
05-07-2024 01:31
Static task
static1
Behavioral task
behavioral1
Sample
194c843d5109edd9d14f1b459524dde024bd903d3e70616b9270263279b5416f.docx
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
194c843d5109edd9d14f1b459524dde024bd903d3e70616b9270263279b5416f.docx
Resource
win10v2004-20240704-en
General
-
Target
194c843d5109edd9d14f1b459524dde024bd903d3e70616b9270263279b5416f.docx
-
Size
16KB
-
MD5
d5ab2de292b70d3a7f0fc16b236c325b
-
SHA1
b7e498349dae307fdf4d08dfb5de5eccba4ac3d5
-
SHA256
194c843d5109edd9d14f1b459524dde024bd903d3e70616b9270263279b5416f
-
SHA512
2a33a54389da5716021c2a3d181e27819d7c2bfcc4eb921fe4cbed4880b800901ee478f059c7f48375609e4e78f31874eeca5364df01d3fde49d9ef2744fe2ee
-
SSDEEP
384:IyXKW7AWss8PL8wi4OEwH8TIbE91r2fRMJYvvid4ejeaS:IcK/b5P3DOqnYJKuvs4ejI
Malware Config
Extracted
Protocol: smtp- Host:
mail.ebizindia.com - Port:
587 - Username:
[email protected] - Password:
Duro Mausam
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.ebizindia.com - Port:
587 - Username:
[email protected] - Password:
Duro Mausam
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1064-149-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1064-148-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1064-146-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1064-143-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1064-141-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 10 1056 EQNEDT32.EXE -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 2 IoCs
Processes:
obious30456.exeobious30456.exepid process 1992 obious30456.exe 1064 obious30456.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1056 EQNEDT32.EXE -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
obious30456.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 obious30456.exe Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 obious30456.exe Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 obious30456.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 checkip.dyndns.org -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
obious30456.exedescription pid process target process PID 1992 set thread context of 1064 1992 obious30456.exe obious30456.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2552 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
obious30456.exepowershell.exepid process 1064 obious30456.exe 2256 powershell.exe 1064 obious30456.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
obious30456.exepowershell.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 1064 obious30456.exe Token: SeDebugPrivilege 2256 powershell.exe Token: SeShutdownPrivilege 2552 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2552 WINWORD.EXE 2552 WINWORD.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEobious30456.exedescription pid process target process PID 1056 wrote to memory of 1992 1056 EQNEDT32.EXE obious30456.exe PID 1056 wrote to memory of 1992 1056 EQNEDT32.EXE obious30456.exe PID 1056 wrote to memory of 1992 1056 EQNEDT32.EXE obious30456.exe PID 1056 wrote to memory of 1992 1056 EQNEDT32.EXE obious30456.exe PID 2552 wrote to memory of 3048 2552 WINWORD.EXE splwow64.exe PID 2552 wrote to memory of 3048 2552 WINWORD.EXE splwow64.exe PID 2552 wrote to memory of 3048 2552 WINWORD.EXE splwow64.exe PID 2552 wrote to memory of 3048 2552 WINWORD.EXE splwow64.exe PID 1992 wrote to memory of 2256 1992 obious30456.exe powershell.exe PID 1992 wrote to memory of 2256 1992 obious30456.exe powershell.exe PID 1992 wrote to memory of 2256 1992 obious30456.exe powershell.exe PID 1992 wrote to memory of 2256 1992 obious30456.exe powershell.exe PID 1992 wrote to memory of 1064 1992 obious30456.exe obious30456.exe PID 1992 wrote to memory of 1064 1992 obious30456.exe obious30456.exe PID 1992 wrote to memory of 1064 1992 obious30456.exe obious30456.exe PID 1992 wrote to memory of 1064 1992 obious30456.exe obious30456.exe PID 1992 wrote to memory of 1064 1992 obious30456.exe obious30456.exe PID 1992 wrote to memory of 1064 1992 obious30456.exe obious30456.exe PID 1992 wrote to memory of 1064 1992 obious30456.exe obious30456.exe PID 1992 wrote to memory of 1064 1992 obious30456.exe obious30456.exe PID 1992 wrote to memory of 1064 1992 obious30456.exe obious30456.exe -
outlook_office_path 1 IoCs
Processes:
obious30456.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 obious30456.exe -
outlook_win_path 1 IoCs
Processes:
obious30456.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 obious30456.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\194c843d5109edd9d14f1b459524dde024bd903d3e70616b9270263279b5416f.docx"1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\obious30456.exe"C:\Users\Admin\AppData\Roaming\obious30456.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\obious30456.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\obious30456.exe"C:\Users\Admin\AppData\Roaming\obious30456.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12Filesize
1KB
MD52365869258df7a66a2121b802ca4afd9
SHA173acc30a2edeb9d6830de559bb8a74f35168135d
SHA256d6b1932822bbd72a8e78c771717d992142348f67d625a42393719fefbe59b0ed
SHA512795004bab536e128dbd81c188976d37c7b650efbfa5a80374df4c65a1049c27658f4620b7605583928eb167fcb69b4c99e4c8730c507b824a7bde9c7fb0e21f4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8Filesize
436B
MD51bfe0a81db078ea084ff82fe545176fe
SHA150b116f578bd272922fa8eae94f7b02fd3b88384
SHA2565ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f
SHA51237c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12Filesize
174B
MD5a01c047fd1c64b7db549e16b443c2c05
SHA155b4b0622a3e841310b3ace98e232170b6d69858
SHA256fbe8d028aa3241ea67bc458d88c179b6b8ebc4b63b9f7a599895c40ad719c2b8
SHA512abbfa98a563028810fd882a5d21de8df715bfe3c7815a737f95316215b35ba9770a9a328550b01034e80552056da04240c7fdd38f479b376ee250fe9408891ba
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8Filesize
170B
MD527f003b34a7da8bc225ca4db2eee9c86
SHA1d2869ca3df511d10e1dfe491b9621f7414bf45f3
SHA2565293da5f15f3fe07b238b5236686c0523038c39636cf80c44774f22748d62921
SHA51255dadb2cae3e9eda8f98e3bf52888ef47f9ecc988d11d3bf2cb2c2416b3af4b96c94e9d2d4bbf3c430189285f63ff443109290e9e19f811e1c5019a22c4f240a
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD505340514066a91688a56f441e766f62e
SHA18c89395c7efb3a3676685dc959fb9a5813127571
SHA2563846adff8a3e61e4fa42a38913edadbbedfe54c732822530858dce3bade6ee69
SHA5121e4281a1ffe3c04b121c94b099dcc2ab8c8a408f294cd018a5cafa7140e6a74126359585a8dc061e4fff02adfd081e2e7e32aec5a174352bb59d647e3c0bd1eb
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{50E6AE15-A5FC-4A92-AA73-4013D3E7B408}.FSDFilesize
128KB
MD562d73414f17811e0f48b982d87889c64
SHA127202e5f162b1017c9c5739e823d909be3dd04e5
SHA2562bba599fb72d88598b808c982a60a4111cfdd1b6ca387c0e1c53f6c8f7f5db80
SHA5127745c66cc12214aef379c396955fc910eba36115b913d8578e068a3145c4d61ff221d0b3aeb656f337da18571dc18e48b0f0c3e5f48abd1dc0c8c9e2c8aef316
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\84EXSCRK\obizxc[1].docFilesize
368KB
MD5575a373a177f9c8b111c8a68b17df8c8
SHA13bc867883140cd48dcf45619b8248e09bcae2e32
SHA2569ae6cf31f1326e6966550f8cec5ddbedebda8358447a7f8ea5459f1170c5fe63
SHA512cfef18fb314a54567c2f7afb387413ba129c7f1bfc10151be00c17032fac455f0c022187ac9fd6f19959b36f50fa6e45128dc26adebd5fb60c972cfdc794b1b0
-
C:\Users\Admin\AppData\Local\Temp\CabD6EE.tmpFilesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\Local\Temp\{F84A4430-EEEA-4BDA-8652-7CAEAC40AF49}Filesize
128KB
MD5b255ffaa24d0569370961ae3aa686009
SHA1b1742d17e09137e69ec942339bcf578dda640a05
SHA256a6278abc494ce4503f9bd740b8ff20bb7ad5dd47dac703e55ceaac71124103a0
SHA51238c11ff0d388882d6bb9c714962bfb432eb7b3352e4c3c87538daf802dd9f4411b8b1dc8047f36b9447d30e9ab003c23d859109bc06f5c93c0363105a564252d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
19KB
MD54ce4625c3a75d412e25b16cc144a4fc3
SHA1fedeb82e66c2b199df9828a8e5b0e0c3497c2aac
SHA256e97f988823b2506c51c1cb22ebd63a26b3efd97348bd380535d86375d81fe89e
SHA512250a942718dc19634460c4cbbeb71d7f799877a40ed072f3033b0d1af25c638dba3a0b84d81a9f800e7bf98b76060a774ebe86b17d368756c3f5a3aa032195be
-
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lexFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\obious30456.exeFilesize
705KB
MD5443363e1a95c3866be9e3335ace43b6e
SHA19b9ed2ef75f1f186502d84e6d25aac2c204c05ef
SHA2560bc288f05b2f4780b38d21563c31b5335246e750bf6de90ed681f4bc1bb0d1a4
SHA512c8fadd72b4fa2440f2c5174c35794dadd0d8abe1bb2d0b410d14206c6e797a9f59351235ddc0139c509d277c0e950718818df85d848bbdec438fa26440296e29
-
memory/1064-148-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1064-149-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1064-139-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1064-141-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1064-143-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1064-145-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1064-146-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1064-137-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1992-135-0x0000000000450000-0x000000000045C000-memory.dmpFilesize
48KB
-
memory/1992-136-0x0000000005AB0000-0x0000000005B18000-memory.dmpFilesize
416KB
-
memory/1992-119-0x0000000001240000-0x00000000012F4000-memory.dmpFilesize
720KB
-
memory/1992-125-0x0000000000220000-0x0000000000228000-memory.dmpFilesize
32KB
-
memory/1992-124-0x0000000000780000-0x000000000079A000-memory.dmpFilesize
104KB
-
memory/2552-0-0x000000002FA41000-0x000000002FA42000-memory.dmpFilesize
4KB
-
memory/2552-2-0x00000000715FD000-0x0000000071608000-memory.dmpFilesize
44KB
-
memory/2552-152-0x00000000715FD000-0x0000000071608000-memory.dmpFilesize
44KB
-
memory/2552-1-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2552-175-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2552-176-0x00000000715FD000-0x0000000071608000-memory.dmpFilesize
44KB