Overview

overview

10

Static

static

1

ece18c6e4b...ff.vbe

windows7-x64

8

ece18c6e4b...ff.vbe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-09-2024 01:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ece18c6e4b98ce3ed6321e2f59159b8401f6797347c7f947f19db53474b51eff.vbe

  • Size

    13KB

  • MD5

    a6af6f6ddf4ddf8b2b7b1f2634383835

  • SHA1

    336a5775a5d073c7f84c3102d4a235354203a5cf

  • SHA256

    ece18c6e4b98ce3ed6321e2f59159b8401f6797347c7f947f19db53474b51eff

  • SHA512

    300223c1c6ef6aab23d10791643fcdf0edf0cfea38dfe72581a76fd461c596f9417295873484df0e9520c6ea1d047c4ff5bc487509ae6f1dbbc98e7a1cf983aa

  • SSDEEP

    384:uEP6YUlp+y4DdVWrXDL6SuvTra0qtRFWSBQXW:DSp+y4ZYvGVvT3qtKYQG

Score
10/10
snakekeyloggercollectioncredential_accessdiscoverykeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 1 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 9 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 7 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ece18c6e4b98ce3ed6321e2f59159b8401f6797347c7f947f19db53474b51eff.vbe"
    1⤵
    • Blocklisted process makes network request
    PID:4296
  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\pxoPoGtbRQrOzlN.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:936
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • Accesses Microsoft Outlook profiles
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:4792
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "936" "2728" "2672" "2732" "0" "0" "2736" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:732
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1884
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1884" "2692" "2620" "2696" "0" "0" "2700" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:4900
  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\StepMerge.docx" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2248

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    Filesize

    53KB

    MD5

    a26df49623eff12a70a93f649776dab7

    SHA1

    efb53bd0df3ac34bd119adf8788127ad57e53803

    SHA256

    4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

    SHA512

    e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCDE9E3.tmp\sist02.xsl
    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_io0fhhku.y0z.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    198B

    MD5

    70a649184a93877f49fab9d9f66a1c08

    SHA1

    44d7f83bcc03be91f24e9917035488a8e2dbc5c1

    SHA256

    836b60bb0414105b0b8ea960003fa11a091230bdbf8b8b8671513cc9d2d7fc39

    SHA512

    8145a9201aa2516f2b31c57c7ba82d59c8683c7705b18745b21c26d3c440ef22699dcffe208679f95104401e470d25969ca1be04bc102ebd1fa9838d3a581ac3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    6KB

    MD5

    08560d73ed059ee0d5c782af40b717d3

    SHA1

    3d9c3d97b3a8f9602cc229fb820679e78ab4f55d

    SHA256

    476e859fe95583415c72ed2c1ef2a7ff6aa2c90114dab2f461fef66efa542513

    SHA512

    4fce3e1426bf95b064b560d434289f270597f6610f80f7c71931014e634c21afeb19703ce0236f71beee6ed16251202e47a1c65c7243f3d7ace91855a49eaf73

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    6KB

    MD5

    9863856ed50de81aa6b13846605b705b

    SHA1

    02e65f14b4161338819d30c507ca6dbb055472d7

    SHA256

    1b225194ee53e2be128ddadebdb7f8fb58cac48466aefbf9211c6c1c7b8a9ee6

    SHA512

    2f99ad3eaf2adbe309142644f23997f9ac75a96be55b1e5ca4b437a733b0e1cb59dd2b135f1e9a940f1bfe648dca77aabc7da25678139b9311ea0c7d21ece6f4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    1KB

    MD5

    060f68fbf39f9134efb19c27726d636d

    SHA1

    3a95f291005ac53180629c5f4465e4ff056e9e80

    SHA256

    cf0afb0080eb40455ce1250dbde9516a01f5dc76ceeff10b93e331b069769e3c

    SHA512

    99a32e52d2ab7dccf1626a207aa7d72f4bb680a0de5f3ad75262737f850a637dbf59287fa41270f63fdc41883e220a4cd7ab6e46efb36076bd9b77031ad6b7c4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    1KB

    MD5

    927beb2356c410aceb57be59c6a3ed29

    SHA1

    07dc10107268879a6acc2228eb014261372c47d4

    SHA256

    3451fa1c61de9cb51b9a91548c4a60714a9e0b33e87f420484caca8f35da2f81

    SHA512

    1c33540d6620241836a8b9b6a4370ee496c26f64ec2159b1ccb3dbeed4a70d5e917824f438cf9edc5c3d458043b8c837d5bc7296be64727e729e1f348e987619

    Download Submit

  • C:\Users\Admin\AppData\Roaming\pxoPoGtbRQrOzlN.vbs
    Filesize

    2KB

    MD5

    1edd37d76538b8617079b6a8c91d9830

    SHA1

    d2605bfb3a9fb3a70890c03d72be3ea2922ee704

    SHA256

    818e502dd2926a30589310af5213f123578b97498713d890be93500eeef43979

    SHA512

    5547cba012fdf060964fb1149ee93ff34c462ba210b810db4e383a9e5916732ca6e95caaa578b052053d45f885b6ccb0b0623da6ee45863105368a3fa1344098

    Download Submit

  • memory/936-14-0x000001E7E9D50000-0x000001E7E9D94000-memory.dmp

    Filesize

    272KB

    Download

  • memory/936-248-0x000001E7E9D30000-0x000001E7E9D3A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/936-85-0x000001E7E9D20000-0x000001E7E9D28000-memory.dmp

    Filesize

    32KB

    Download

  • memory/936-13-0x000001E7E90D0000-0x000001E7E90F2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/936-23-0x000001E7E9E20000-0x000001E7E9E96000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2248-17-0x00007FFCCE1D0000-0x00007FFCCE1E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2248-456-0x00007FFCCE1D0000-0x00007FFCCE1E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2248-20-0x00007FFCCC170000-0x00007FFCCC180000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2248-19-0x00007FFCCE1D0000-0x00007FFCCE1E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2248-18-0x00007FFCCE1D0000-0x00007FFCCE1E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2248-458-0x00007FFCCE1D0000-0x00007FFCCE1E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2248-16-0x00007FFCCE1D0000-0x00007FFCCE1E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2248-15-0x00007FFCCE1D0000-0x00007FFCCE1E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2248-457-0x00007FFCCE1D0000-0x00007FFCCE1E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2248-21-0x00007FFCCC170000-0x00007FFCCC180000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2248-459-0x00007FFCCE1D0000-0x00007FFCCE1E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4792-412-0x00000000058E0000-0x000000000597C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4792-433-0x0000000006D20000-0x0000000006DB2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4792-434-0x0000000006CB0000-0x0000000006CBA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4792-432-0x0000000006E50000-0x0000000007012000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4792-431-0x0000000006C30000-0x0000000006C80000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4792-411-0x0000000005F70000-0x0000000006514000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4792-267-0x00000000011D0000-0x00000000011F6000-memory.dmp

    Filesize

    152KB

    Download