snakekeylogger | 194c843d5109edd9d14f1b459524dde024bd903d3e70616b9270263279b5416f

Analysis

max time kernel
119s
max time network
128s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05-07-2024 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

194c843d5109edd9d14f1b459524dde024bd903d3e70616b9270263279b5416f.docx
Size

16KB
MD5

d5ab2de292b70d3a7f0fc16b236c325b
SHA1

b7e498349dae307fdf4d08dfb5de5eccba4ac3d5
SHA256

194c843d5109edd9d14f1b459524dde024bd903d3e70616b9270263279b5416f
SHA512

2a33a54389da5716021c2a3d181e27819d7c2bfcc4eb921fe4cbed4880b800901ee478f059c7f48375609e4e78f31874eeca5364df01d3fde49d9ef2744fe2ee
SSDEEP

384:IyXKW7AWss8PL8wi4OEwH8TIbE91r2fRMJYvvid4ejeaS:IcK/b5P3DOqnYJKuvs4ejI

Score

10^/10

snakekeylogger collection execution keylogger spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.ebizindia.com
Port:
587
Username:
[email protected]
Password:
Duro Mausam

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.ebizindia.com
Port:
587
Username:
[email protected]
Password:
Duro Mausam

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1064-149-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1064-148-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1064-146-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1064-143-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1064-141-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

10 1056 EQNEDT32.EXE
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2256 powershell.exe
Downloads MZ/PE file
Abuses OpenXML format to download file from external location
Executes dropped EXE 2 IoCs

Processes:

obious30456.exeobious30456.exe

pid process

1992 obious30456.exe
1064 obious30456.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

1056 EQNEDT32.EXE
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

flow	pid	process
10	1056	EQNEDT32.EXE

pid	process
2256	powershell.exe

pid	process
1992	obious30456.exe
1064	obious30456.exe

pid	process
1056	EQNEDT32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

obious30456.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	obious30456.exe
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	obious30456.exe
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	obious30456.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 checkip.dyndns.org
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

obious30456.exe

description pid process target process

PID 1992 set thread context of 1064 1992 obious30456.exe obious30456.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1056 EQNEDT32.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2552 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

obious30456.exepowershell.exe

pid process

1064 obious30456.exe
2256 powershell.exe
1064 obious30456.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

obious30456.exepowershell.exeWINWORD.EXE

description pid process

Token: SeDebugPrivilege 1064 obious30456.exe
Token: SeDebugPrivilege 2256 powershell.exe
Token: SeShutdownPrivilege 2552 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2552 WINWORD.EXE
2552 WINWORD.EXE

flow	ioc
11	checkip.dyndns.org

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

description	pid	process	target process
PID 1992 set thread context of 1064	1992	obious30456.exe	obious30456.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1056	EQNEDT32.EXE

pid	process
2552	WINWORD.EXE

pid	process
1064	obious30456.exe
2256	powershell.exe
1064	obious30456.exe

description	pid	process
Token: SeDebugPrivilege	1064	obious30456.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeShutdownPrivilege	2552	WINWORD.EXE

pid	process
2552	WINWORD.EXE
2552	WINWORD.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEobious30456.exe

description	pid	process	target process
PID 1056 wrote to memory of 1992	1056	EQNEDT32.EXE	obious30456.exe
PID 1056 wrote to memory of 1992	1056	EQNEDT32.EXE	obious30456.exe
PID 1056 wrote to memory of 1992	1056	EQNEDT32.EXE	obious30456.exe
PID 1056 wrote to memory of 1992	1056	EQNEDT32.EXE	obious30456.exe
PID 2552 wrote to memory of 3048	2552	WINWORD.EXE	splwow64.exe
PID 2552 wrote to memory of 3048	2552	WINWORD.EXE	splwow64.exe
PID 2552 wrote to memory of 3048	2552	WINWORD.EXE	splwow64.exe
PID 2552 wrote to memory of 3048	2552	WINWORD.EXE	splwow64.exe
PID 1992 wrote to memory of 2256	1992	obious30456.exe	powershell.exe
PID 1992 wrote to memory of 2256	1992	obious30456.exe	powershell.exe
PID 1992 wrote to memory of 2256	1992	obious30456.exe	powershell.exe
PID 1992 wrote to memory of 2256	1992	obious30456.exe	powershell.exe
PID 1992 wrote to memory of 1064	1992	obious30456.exe	obious30456.exe
PID 1992 wrote to memory of 1064	1992	obious30456.exe	obious30456.exe
PID 1992 wrote to memory of 1064	1992	obious30456.exe	obious30456.exe
PID 1992 wrote to memory of 1064	1992	obious30456.exe	obious30456.exe
PID 1992 wrote to memory of 1064	1992	obious30456.exe	obious30456.exe
PID 1992 wrote to memory of 1064	1992	obious30456.exe	obious30456.exe
PID 1992 wrote to memory of 1064	1992	obious30456.exe	obious30456.exe
PID 1992 wrote to memory of 1064	1992	obious30456.exe	obious30456.exe
PID 1992 wrote to memory of 1064	1992	obious30456.exe	obious30456.exe

outlook_office_path 1 IoCs

Processes:

obious30456.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 obious30456.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	obious30456.exe

outlook_win_path 1 IoCs

Processes:

obious30456.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	obious30456.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\194c843d5109edd9d14f1b459524dde024bd903d3e70616b9270263279b5416f.docx"
1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:3048

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1056

C:\Users\Admin\AppData\Roaming\obious30456.exe
"C:\Users\Admin\AppData\Roaming\obious30456.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\obious30456.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Users\Admin\AppData\Roaming\obious30456.exe
"C:\Users\Admin\AppData\Roaming\obious30456.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1064

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize
1KB

MD5
2365869258df7a66a2121b802ca4afd9

SHA1
73acc30a2edeb9d6830de559bb8a74f35168135d

SHA256
d6b1932822bbd72a8e78c771717d992142348f67d625a42393719fefbe59b0ed

SHA512
795004bab536e128dbd81c188976d37c7b650efbfa5a80374df4c65a1049c27658f4620b7605583928eb167fcb69b4c99e4c8730c507b824a7bde9c7fb0e21f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
Filesize
436B

MD5
1bfe0a81db078ea084ff82fe545176fe

SHA1
50b116f578bd272922fa8eae94f7b02fd3b88384

SHA256
5ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f

SHA512
37c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize
174B

MD5
a01c047fd1c64b7db549e16b443c2c05

SHA1
55b4b0622a3e841310b3ace98e232170b6d69858

SHA256
fbe8d028aa3241ea67bc458d88c179b6b8ebc4b63b9f7a599895c40ad719c2b8

SHA512
abbfa98a563028810fd882a5d21de8df715bfe3c7815a737f95316215b35ba9770a9a328550b01034e80552056da04240c7fdd38f479b376ee250fe9408891ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize
170B

MD5
27f003b34a7da8bc225ca4db2eee9c86

SHA1
d2869ca3df511d10e1dfe491b9621f7414bf45f3

SHA256
5293da5f15f3fe07b238b5236686c0523038c39636cf80c44774f22748d62921

SHA512
55dadb2cae3e9eda8f98e3bf52888ef47f9ecc988d11d3bf2cb2c2416b3af4b96c94e9d2d4bbf3c430189285f63ff443109290e9e19f811e1c5019a22c4f240a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
05340514066a91688a56f441e766f62e

SHA1
8c89395c7efb3a3676685dc959fb9a5813127571

SHA256
3846adff8a3e61e4fa42a38913edadbbedfe54c732822530858dce3bade6ee69

SHA512
1e4281a1ffe3c04b121c94b099dcc2ab8c8a408f294cd018a5cafa7140e6a74126359585a8dc061e4fff02adfd081e2e7e32aec5a174352bb59d647e3c0bd1eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{50E6AE15-A5FC-4A92-AA73-4013D3E7B408}.FSD
Filesize
128KB

MD5
62d73414f17811e0f48b982d87889c64

SHA1
27202e5f162b1017c9c5739e823d909be3dd04e5

SHA256
2bba599fb72d88598b808c982a60a4111cfdd1b6ca387c0e1c53f6c8f7f5db80

SHA512
7745c66cc12214aef379c396955fc910eba36115b913d8578e068a3145c4d61ff221d0b3aeb656f337da18571dc18e48b0f0c3e5f48abd1dc0c8c9e2c8aef316

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\84EXSCRK\obizxc[1].doc
Filesize
368KB

MD5
575a373a177f9c8b111c8a68b17df8c8

SHA1
3bc867883140cd48dcf45619b8248e09bcae2e32

SHA256
9ae6cf31f1326e6966550f8cec5ddbedebda8358447a7f8ea5459f1170c5fe63

SHA512
cfef18fb314a54567c2f7afb387413ba129c7f1bfc10151be00c17032fac455f0c022187ac9fd6f19959b36f50fa6e45128dc26adebd5fb60c972cfdc794b1b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD6EE.tmp
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F84A4430-EEEA-4BDA-8652-7CAEAC40AF49}
Filesize
128KB

MD5
b255ffaa24d0569370961ae3aa686009

SHA1
b1742d17e09137e69ec942339bcf578dda640a05

SHA256
a6278abc494ce4503f9bd740b8ff20bb7ad5dd47dac703e55ceaac71124103a0

SHA512
38c11ff0d388882d6bb9c714962bfb432eb7b3352e4c3c87538daf802dd9f4411b8b1dc8047f36b9447d30e9ab003c23d859109bc06f5c93c0363105a564252d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
19KB

MD5
4ce4625c3a75d412e25b16cc144a4fc3

SHA1
fedeb82e66c2b199df9828a8e5b0e0c3497c2aac

SHA256
e97f988823b2506c51c1cb22ebd63a26b3efd97348bd380535d86375d81fe89e

SHA512
250a942718dc19634460c4cbbeb71d7f799877a40ed072f3033b0d1af25c638dba3a0b84d81a9f800e7bf98b76060a774ebe86b17d368756c3f5a3aa032195be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\obious30456.exe
Filesize
705KB

MD5
443363e1a95c3866be9e3335ace43b6e

SHA1
9b9ed2ef75f1f186502d84e6d25aac2c204c05ef

SHA256
0bc288f05b2f4780b38d21563c31b5335246e750bf6de90ed681f4bc1bb0d1a4

SHA512
c8fadd72b4fa2440f2c5174c35794dadd0d8abe1bb2d0b410d14206c6e797a9f59351235ddc0139c509d277c0e950718818df85d848bbdec438fa26440296e29

Download Submit
memory/1064-148-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1064-149-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1064-139-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1064-141-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1064-143-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1064-145-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1064-146-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1064-137-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1992-135-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/1992-136-0x0000000005AB0000-0x0000000005B18000-memory.dmp

Filesize
416KB

Download
memory/1992-119-0x0000000001240000-0x00000000012F4000-memory.dmp

Filesize
720KB

Download
memory/1992-125-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/1992-124-0x0000000000780000-0x000000000079A000-memory.dmp

Filesize
104KB

Download
memory/2552-0-0x000000002FA41000-0x000000002FA42000-memory.dmp

Filesize
4KB

Download
memory/2552-2-0x00000000715FD000-0x0000000071608000-memory.dmp

Filesize
44KB

Download
memory/2552-152-0x00000000715FD000-0x0000000071608000-memory.dmp

Filesize
44KB

Download
memory/2552-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2552-175-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2552-176-0x00000000715FD000-0x0000000071608000-memory.dmp

Filesize
44KB

Download