snakekeylogger | 71ae3e49cd3e22ac2de6cc53dd6b662d8f65d8f4d9f4e882e1b88d3cff18e18c

Analysis

max time kernel
123s
max time network
138s
platform
windows7_x64
resource
win7-en-20211104
submitted
05-12-2021 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a72f3d7698f6126013cff4e4ad1fb808.exe
Size

1.7MB
MD5

a72f3d7698f6126013cff4e4ad1fb808
SHA1

cd44ae59eb8ae4111c53e8b4a3da5e7ba1af48bb
SHA256

71ae3e49cd3e22ac2de6cc53dd6b662d8f65d8f4d9f4e882e1b88d3cff18e18c
SHA512

1c23c290cc4ce5876a7f86677da352e9229c387f03ef504a6287978001bb228b85aea46eb4493f886a1602691fa2b85cca3addf5c487a303ac590ab454db501b

Score

10^/10

snakekeylogger collection keylogger macro persistence spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.nclanka.lk
Port:
587
Username:
sales@nclanka.lk
Password:
OgNl@$200

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.nclanka.lk
Port:
587
Username:
sales@nclanka.lk
Password:
OgNl@$200

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger
Executes dropped EXE 4 IoCs

Processes:

._cache_a72f3d7698f6126013cff4e4ad1fb808.exeSynaptics.exeSynaptics.exe._cache_Synaptics.exe

pid process

1660 ._cache_a72f3d7698f6126013cff4e4ad1fb808.exe
1544 Synaptics.exe
1996 Synaptics.exe
2036 ._cache_Synaptics.exe

pid	process
1660	._cache_a72f3d7698f6126013cff4e4ad1fb808.exe
1544	Synaptics.exe
1996	Synaptics.exe
2036	._cache_Synaptics.exe

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\xqDUlx4O.xlsm	office_macros

Loads dropped DLL 4 IoCs

Processes:

a72f3d7698f6126013cff4e4ad1fb808.exeSynaptics.exe

pid process

1840 a72f3d7698f6126013cff4e4ad1fb808.exe
1840 a72f3d7698f6126013cff4e4ad1fb808.exe
1996 Synaptics.exe
1996 Synaptics.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1840	a72f3d7698f6126013cff4e4ad1fb808.exe
1840	a72f3d7698f6126013cff4e4ad1fb808.exe
1996	Synaptics.exe
1996	Synaptics.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

._cache_a72f3d7698f6126013cff4e4ad1fb808.exe._cache_Synaptics.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_a72f3d7698f6126013cff4e4ad1fb808.exe
Key opened	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_a72f3d7698f6126013cff4e4ad1fb808.exe
Key opened	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_a72f3d7698f6126013cff4e4ad1fb808.exe
Key opened	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a72f3d7698f6126013cff4e4ad1fb808.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	a72f3d7698f6126013cff4e4ad1fb808.exe

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org
9 freegeoip.app
10 freegeoip.app
20 freegeoip.app

flow	ioc
4	checkip.dyndns.org
9	freegeoip.app
10	freegeoip.app
20	freegeoip.app

Suspicious use of SetThreadContext 2 IoCs

Processes:

a72f3d7698f6126013cff4e4ad1fb808.exeSynaptics.exe

description	pid	process	target process
PID 652 set thread context of 1840	652	a72f3d7698f6126013cff4e4ad1fb808.exe	a72f3d7698f6126013cff4e4ad1fb808.exe
PID 1544 set thread context of 1996	1544	Synaptics.exe	Synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

856 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

._cache_a72f3d7698f6126013cff4e4ad1fb808.exe._cache_Synaptics.exe

pid process

1660 ._cache_a72f3d7698f6126013cff4e4ad1fb808.exe
2036 ._cache_Synaptics.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

._cache_a72f3d7698f6126013cff4e4ad1fb808.exe._cache_Synaptics.exe

description pid process

Token: SeDebugPrivilege 1660 ._cache_a72f3d7698f6126013cff4e4ad1fb808.exe
Token: SeDebugPrivilege 2036 ._cache_Synaptics.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXCEL.EXE

pid process

856 EXCEL.EXE

pid	process
856	EXCEL.EXE

pid	process
1660	._cache_a72f3d7698f6126013cff4e4ad1fb808.exe
2036	._cache_Synaptics.exe

description	pid	process
Token: SeDebugPrivilege	1660	._cache_a72f3d7698f6126013cff4e4ad1fb808.exe
Token: SeDebugPrivilege	2036	._cache_Synaptics.exe

pid	process
856	EXCEL.EXE

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

a72f3d7698f6126013cff4e4ad1fb808.exea72f3d7698f6126013cff4e4ad1fb808.exeSynaptics.exeSynaptics.exe

description	pid	process	target process
PID 652 wrote to memory of 1840	652	a72f3d7698f6126013cff4e4ad1fb808.exe	a72f3d7698f6126013cff4e4ad1fb808.exe
PID 652 wrote to memory of 1840	652	a72f3d7698f6126013cff4e4ad1fb808.exe	a72f3d7698f6126013cff4e4ad1fb808.exe
PID 652 wrote to memory of 1840	652	a72f3d7698f6126013cff4e4ad1fb808.exe	a72f3d7698f6126013cff4e4ad1fb808.exe
PID 652 wrote to memory of 1840	652	a72f3d7698f6126013cff4e4ad1fb808.exe	a72f3d7698f6126013cff4e4ad1fb808.exe
PID 652 wrote to memory of 1840	652	a72f3d7698f6126013cff4e4ad1fb808.exe	a72f3d7698f6126013cff4e4ad1fb808.exe
PID 652 wrote to memory of 1840	652	a72f3d7698f6126013cff4e4ad1fb808.exe	a72f3d7698f6126013cff4e4ad1fb808.exe
PID 652 wrote to memory of 1840	652	a72f3d7698f6126013cff4e4ad1fb808.exe	a72f3d7698f6126013cff4e4ad1fb808.exe
PID 652 wrote to memory of 1840	652	a72f3d7698f6126013cff4e4ad1fb808.exe	a72f3d7698f6126013cff4e4ad1fb808.exe
PID 652 wrote to memory of 1840	652	a72f3d7698f6126013cff4e4ad1fb808.exe	a72f3d7698f6126013cff4e4ad1fb808.exe
PID 652 wrote to memory of 1840	652	a72f3d7698f6126013cff4e4ad1fb808.exe	a72f3d7698f6126013cff4e4ad1fb808.exe
PID 652 wrote to memory of 1840	652	a72f3d7698f6126013cff4e4ad1fb808.exe	a72f3d7698f6126013cff4e4ad1fb808.exe
PID 652 wrote to memory of 1840	652	a72f3d7698f6126013cff4e4ad1fb808.exe	a72f3d7698f6126013cff4e4ad1fb808.exe
PID 1840 wrote to memory of 1660	1840	a72f3d7698f6126013cff4e4ad1fb808.exe	._cache_a72f3d7698f6126013cff4e4ad1fb808.exe
PID 1840 wrote to memory of 1660	1840	a72f3d7698f6126013cff4e4ad1fb808.exe	._cache_a72f3d7698f6126013cff4e4ad1fb808.exe
PID 1840 wrote to memory of 1660	1840	a72f3d7698f6126013cff4e4ad1fb808.exe	._cache_a72f3d7698f6126013cff4e4ad1fb808.exe
PID 1840 wrote to memory of 1660	1840	a72f3d7698f6126013cff4e4ad1fb808.exe	._cache_a72f3d7698f6126013cff4e4ad1fb808.exe
PID 1840 wrote to memory of 1544	1840	a72f3d7698f6126013cff4e4ad1fb808.exe	Synaptics.exe
PID 1840 wrote to memory of 1544	1840	a72f3d7698f6126013cff4e4ad1fb808.exe	Synaptics.exe
PID 1840 wrote to memory of 1544	1840	a72f3d7698f6126013cff4e4ad1fb808.exe	Synaptics.exe
PID 1840 wrote to memory of 1544	1840	a72f3d7698f6126013cff4e4ad1fb808.exe	Synaptics.exe
PID 1544 wrote to memory of 1996	1544	Synaptics.exe	Synaptics.exe
PID 1544 wrote to memory of 1996	1544	Synaptics.exe	Synaptics.exe
PID 1544 wrote to memory of 1996	1544	Synaptics.exe	Synaptics.exe
PID 1544 wrote to memory of 1996	1544	Synaptics.exe	Synaptics.exe
PID 1544 wrote to memory of 1996	1544	Synaptics.exe	Synaptics.exe
PID 1544 wrote to memory of 1996	1544	Synaptics.exe	Synaptics.exe
PID 1544 wrote to memory of 1996	1544	Synaptics.exe	Synaptics.exe
PID 1544 wrote to memory of 1996	1544	Synaptics.exe	Synaptics.exe
PID 1544 wrote to memory of 1996	1544	Synaptics.exe	Synaptics.exe
PID 1544 wrote to memory of 1996	1544	Synaptics.exe	Synaptics.exe
PID 1544 wrote to memory of 1996	1544	Synaptics.exe	Synaptics.exe
PID 1544 wrote to memory of 1996	1544	Synaptics.exe	Synaptics.exe
PID 1996 wrote to memory of 2036	1996	Synaptics.exe	._cache_Synaptics.exe
PID 1996 wrote to memory of 2036	1996	Synaptics.exe	._cache_Synaptics.exe
PID 1996 wrote to memory of 2036	1996	Synaptics.exe	._cache_Synaptics.exe
PID 1996 wrote to memory of 2036	1996	Synaptics.exe	._cache_Synaptics.exe

outlook_office_path 1 IoCs

Processes:

._cache_Synaptics.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe

outlook_win_path 1 IoCs

Processes:

._cache_Synaptics.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\a72f3d7698f6126013cff4e4ad1fb808.exe
"C:\Users\Admin\AppData\Local\Temp\a72f3d7698f6126013cff4e4ad1fb808.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:652

C:\Users\Admin\AppData\Local\Temp\a72f3d7698f6126013cff4e4ad1fb808.exe
"C:\Users\Admin\AppData\Local\Temp\a72f3d7698f6126013cff4e4ad1fb808.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1840

C:\Users\Admin\AppData\Local\Temp\._cache_a72f3d7698f6126013cff4e4ad1fb808.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_a72f3d7698f6126013cff4e4ad1fb808.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1544

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2036

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe
MD5
a72f3d7698f6126013cff4e4ad1fb808

SHA1
cd44ae59eb8ae4111c53e8b4a3da5e7ba1af48bb

SHA256
71ae3e49cd3e22ac2de6cc53dd6b662d8f65d8f4d9f4e882e1b88d3cff18e18c

SHA512
1c23c290cc4ce5876a7f86677da352e9229c387f03ef504a6287978001bb228b85aea46eb4493f886a1602691fa2b85cca3addf5c487a303ac590ab454db501b

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
MD5
a72f3d7698f6126013cff4e4ad1fb808

SHA1
cd44ae59eb8ae4111c53e8b4a3da5e7ba1af48bb

SHA256
71ae3e49cd3e22ac2de6cc53dd6b662d8f65d8f4d9f4e882e1b88d3cff18e18c

SHA512
1c23c290cc4ce5876a7f86677da352e9229c387f03ef504a6287978001bb228b85aea46eb4493f886a1602691fa2b85cca3addf5c487a303ac590ab454db501b

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
MD5
a72f3d7698f6126013cff4e4ad1fb808

SHA1
cd44ae59eb8ae4111c53e8b4a3da5e7ba1af48bb

SHA256
71ae3e49cd3e22ac2de6cc53dd6b662d8f65d8f4d9f4e882e1b88d3cff18e18c

SHA512
1c23c290cc4ce5876a7f86677da352e9229c387f03ef504a6287978001bb228b85aea46eb4493f886a1602691fa2b85cca3addf5c487a303ac590ab454db501b

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
MD5
ba9fe00d326f5997104101d59460e994

SHA1
46acc8f6c5f441f594d38e7062d63abfd2286807

SHA256
6e9e6f46101684f027120ad7ad467587899924d49387c7feab1f792342575e4b

SHA512
69009b4b6adbfa6e4eb5ed21486ab78ab706b8a6ba02628319df5c4ac6913e495655bdd552ac4fc4dc5cd7ac6bccb73b86e0f531badfe43f65acde466323687d

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
MD5
ba9fe00d326f5997104101d59460e994

SHA1
46acc8f6c5f441f594d38e7062d63abfd2286807

SHA256
6e9e6f46101684f027120ad7ad467587899924d49387c7feab1f792342575e4b

SHA512
69009b4b6adbfa6e4eb5ed21486ab78ab706b8a6ba02628319df5c4ac6913e495655bdd552ac4fc4dc5cd7ac6bccb73b86e0f531badfe43f65acde466323687d

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_a72f3d7698f6126013cff4e4ad1fb808.exe
MD5
ba9fe00d326f5997104101d59460e994

SHA1
46acc8f6c5f441f594d38e7062d63abfd2286807

SHA256
6e9e6f46101684f027120ad7ad467587899924d49387c7feab1f792342575e4b

SHA512
69009b4b6adbfa6e4eb5ed21486ab78ab706b8a6ba02628319df5c4ac6913e495655bdd552ac4fc4dc5cd7ac6bccb73b86e0f531badfe43f65acde466323687d

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_a72f3d7698f6126013cff4e4ad1fb808.exe
MD5
ba9fe00d326f5997104101d59460e994

SHA1
46acc8f6c5f441f594d38e7062d63abfd2286807

SHA256
6e9e6f46101684f027120ad7ad467587899924d49387c7feab1f792342575e4b

SHA512
69009b4b6adbfa6e4eb5ed21486ab78ab706b8a6ba02628319df5c4ac6913e495655bdd552ac4fc4dc5cd7ac6bccb73b86e0f531badfe43f65acde466323687d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xqDUlx4O.xlsm
MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
\ProgramData\Synaptics\Synaptics.exe
MD5
a72f3d7698f6126013cff4e4ad1fb808

SHA1
cd44ae59eb8ae4111c53e8b4a3da5e7ba1af48bb

SHA256
71ae3e49cd3e22ac2de6cc53dd6b662d8f65d8f4d9f4e882e1b88d3cff18e18c

SHA512
1c23c290cc4ce5876a7f86677da352e9229c387f03ef504a6287978001bb228b85aea46eb4493f886a1602691fa2b85cca3addf5c487a303ac590ab454db501b

Download Submit
\ProgramData\Synaptics\Synaptics.exe
MD5
a72f3d7698f6126013cff4e4ad1fb808

SHA1
cd44ae59eb8ae4111c53e8b4a3da5e7ba1af48bb

SHA256
71ae3e49cd3e22ac2de6cc53dd6b662d8f65d8f4d9f4e882e1b88d3cff18e18c

SHA512
1c23c290cc4ce5876a7f86677da352e9229c387f03ef504a6287978001bb228b85aea46eb4493f886a1602691fa2b85cca3addf5c487a303ac590ab454db501b

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
MD5
ba9fe00d326f5997104101d59460e994

SHA1
46acc8f6c5f441f594d38e7062d63abfd2286807

SHA256
6e9e6f46101684f027120ad7ad467587899924d49387c7feab1f792342575e4b

SHA512
69009b4b6adbfa6e4eb5ed21486ab78ab706b8a6ba02628319df5c4ac6913e495655bdd552ac4fc4dc5cd7ac6bccb73b86e0f531badfe43f65acde466323687d

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_a72f3d7698f6126013cff4e4ad1fb808.exe
MD5
ba9fe00d326f5997104101d59460e994

SHA1
46acc8f6c5f441f594d38e7062d63abfd2286807

SHA256
6e9e6f46101684f027120ad7ad467587899924d49387c7feab1f792342575e4b

SHA512
69009b4b6adbfa6e4eb5ed21486ab78ab706b8a6ba02628319df5c4ac6913e495655bdd552ac4fc4dc5cd7ac6bccb73b86e0f531badfe43f65acde466323687d

Download Submit
memory/652-60-0x0000000008040000-0x0000000008145000-memory.dmp

Filesize
1.0MB

Download
memory/652-57-0x0000000075851000-0x0000000075853000-memory.dmp

Filesize
8KB

Download
memory/652-55-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/652-58-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/652-59-0x00000000008E0000-0x00000000008F6000-memory.dmp

Filesize
88KB

Download
memory/652-61-0x000000000A890000-0x000000000A99F000-memory.dmp

Filesize
1.1MB

Download
memory/856-114-0x000000006BB01000-0x000000006BB03000-memory.dmp

Filesize
8KB

Download
memory/856-115-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/856-113-0x000000002FEB1000-0x000000002FEB4000-memory.dmp

Filesize
12KB

Download
memory/1544-89-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/1544-84-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/1544-81-0x0000000000000000-mapping.dmp

Download
memory/1660-87-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/1660-78-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/1660-75-0x0000000000000000-mapping.dmp

Download
memory/1840-67-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1840-65-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1840-62-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1840-74-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1840-70-0x000000000049AB80-mapping.dmp

Download
memory/1840-69-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1840-63-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1840-68-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1840-66-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1840-64-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1840-72-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1996-110-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1996-111-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1996-100-0x000000000049AB80-mapping.dmp

Download
memory/2036-112-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/2036-108-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/2036-105-0x0000000000000000-mapping.dmp

Download