snakekeylogger | c99b050645ebbc138018a9dcb4c3029bc1a9aa9376e7541c1011e815942948e1

Resubmissions

01-02-2023 17:02

230201-vj6p3aah39 10

01-02-2023 17:00

230201-vjf5eacg4s 10

01-02-2023 16:57

230201-vgbrxacg2y 10

Analysis

max time kernel
600s
max time network
432s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
01-02-2023 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Halkbank_Ekstre_20230129_075423_612150o.pdf..exe
Size

461KB
MD5

51505dd088beb3a3406dab4bcfc0090b
SHA1

7efb628f6b348b0f19360241f3f0661419617bc7
SHA256

5f16e8c1fef7f5f311b814b10f7b9e9b1ec3c204075fb8bb48ac207e256ea208
SHA512

dc05dc73895114c6025c986d696a3a6044c26f2e6e2c5863c33a7806461033f99ae2dbae153cdf1c1d2b93ee9686bddf98d2b58759e13aef923dbf0635e3166c
SSDEEP

12288:GENN+T5xYrllrU7QY62YrTNbwcD/xtDmpfJuB3:K5xolYQY62YrZ0nfs5

Score

10^/10

snakekeylogger collection evasion keylogger persistence spyware stealer upx

Malware Config

Extracted

Family

snakekeylogger

https://api.telegram.org/bot5801425382:AAG5b4PUEaqNDv5uP9ejZGeIHeuzzOD4IHY/sendMessage?chat_id=5812329204

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 2 IoCs

Processes:

resource	yara_rule
behavioral11/memory/4748-438-0x0000000002E10000-0x0000000002E36000-memory.dmp	family_snakekeylogger
behavioral11/memory/4748-452-0x0000000000400000-0x000000000043A000-memory.dmp	family_snakekeylogger

Executes dropped EXE 9 IoCs

Processes:

halkbank_ekstre_20230129_075423_612150o.pdf..exe iauwp.exeicsys.icn.exeexplorer.exeiauwp.exeiauwp.exespoolsv.exesvchost.exespoolsv.exe

pid	process
3020	halkbank_ekstre_20230129_075423_612150o.pdf..exe
3708	iauwp.exe
4060	icsys.icn.exe
4180	explorer.exe
4428	iauwp.exe
4748	iauwp.exe
4652	spoolsv.exe
1276	svchost.exe
616	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral11/memory/4748-452-0x0000000000400000-0x000000000043A000-memory.dmp	upx

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

iauwp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	iauwp.exe
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	iauwp.exe
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	iauwp.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

iauwp.exe

description pid process target process

PID 3708 set thread context of 4748 3708 iauwp.exe iauwp.exe

flow	ioc
1	checkip.dyndns.org

description	pid	process	target process
PID 3708 set thread context of 4748	3708	iauwp.exe	iauwp.exe

Drops file in Windows directory 6 IoCs

Processes:

explorer.exeicsys.icn.exespoolsv.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

icsys.icn.exeiauwp.exeexplorer.exesvchost.exe

pid	process
4060	icsys.icn.exe
4060	icsys.icn.exe
4748	iauwp.exe
4180	explorer.exe
4180	explorer.exe
4748	iauwp.exe
4180	explorer.exe
4180	explorer.exe
4180	explorer.exe
4180	explorer.exe
4180	explorer.exe
4180	explorer.exe
4180	explorer.exe
1276	svchost.exe
4180	explorer.exe
1276	svchost.exe
4180	explorer.exe
4180	explorer.exe
1276	svchost.exe
1276	svchost.exe
4180	explorer.exe
4180	explorer.exe
4180	explorer.exe
1276	svchost.exe
4180	explorer.exe
1276	svchost.exe
1276	svchost.exe
4180	explorer.exe
4180	explorer.exe
1276	svchost.exe
4180	explorer.exe
1276	svchost.exe
4180	explorer.exe
1276	svchost.exe
4180	explorer.exe
1276	svchost.exe
4180	explorer.exe
1276	svchost.exe
4180	explorer.exe
1276	svchost.exe
4180	explorer.exe
1276	svchost.exe
1276	svchost.exe
4180	explorer.exe
1276	svchost.exe
4180	explorer.exe
4180	explorer.exe
1276	svchost.exe
4180	explorer.exe
1276	svchost.exe
1276	svchost.exe
4180	explorer.exe
4180	explorer.exe
1276	svchost.exe
4180	explorer.exe
1276	svchost.exe
4180	explorer.exe
1276	svchost.exe
1276	svchost.exe
4180	explorer.exe
4180	explorer.exe
1276	svchost.exe
4180	explorer.exe
1276	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

4180 explorer.exe
1276 svchost.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

iauwp.exe

pid process

3708 iauwp.exe
3708 iauwp.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

iauwp.exe

description pid process

Token: SeDebugPrivilege 4748 iauwp.exe

pid	process
4180	explorer.exe
1276	svchost.exe

pid	process
3708	iauwp.exe
3708	iauwp.exe

description	pid	process
Token: SeDebugPrivilege	4748	iauwp.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

Halkbank_Ekstre_20230129_075423_612150o.pdf..exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
3504	Halkbank_Ekstre_20230129_075423_612150o.pdf..exe
3504	Halkbank_Ekstre_20230129_075423_612150o.pdf..exe
4060	icsys.icn.exe
4060	icsys.icn.exe
4180	explorer.exe
4180	explorer.exe
4652	spoolsv.exe
4652	spoolsv.exe
1276	svchost.exe
1276	svchost.exe
616	spoolsv.exe
616	spoolsv.exe
4180	explorer.exe
4180	explorer.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

Halkbank_Ekstre_20230129_075423_612150o.pdf..exehalkbank_ekstre_20230129_075423_612150o.pdf..exe icsys.icn.exeiauwp.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 3504 wrote to memory of 3020	3504	Halkbank_Ekstre_20230129_075423_612150o.pdf..exe	halkbank_ekstre_20230129_075423_612150o.pdf..exe
PID 3504 wrote to memory of 3020	3504	Halkbank_Ekstre_20230129_075423_612150o.pdf..exe	halkbank_ekstre_20230129_075423_612150o.pdf..exe
PID 3504 wrote to memory of 3020	3504	Halkbank_Ekstre_20230129_075423_612150o.pdf..exe	halkbank_ekstre_20230129_075423_612150o.pdf..exe
PID 3020 wrote to memory of 3708	3020	halkbank_ekstre_20230129_075423_612150o.pdf..exe	iauwp.exe
PID 3020 wrote to memory of 3708	3020	halkbank_ekstre_20230129_075423_612150o.pdf..exe	iauwp.exe
PID 3020 wrote to memory of 3708	3020	halkbank_ekstre_20230129_075423_612150o.pdf..exe	iauwp.exe
PID 3504 wrote to memory of 4060	3504	Halkbank_Ekstre_20230129_075423_612150o.pdf..exe	icsys.icn.exe
PID 3504 wrote to memory of 4060	3504	Halkbank_Ekstre_20230129_075423_612150o.pdf..exe	icsys.icn.exe
PID 3504 wrote to memory of 4060	3504	Halkbank_Ekstre_20230129_075423_612150o.pdf..exe	icsys.icn.exe
PID 4060 wrote to memory of 4180	4060	icsys.icn.exe	explorer.exe
PID 4060 wrote to memory of 4180	4060	icsys.icn.exe	explorer.exe
PID 4060 wrote to memory of 4180	4060	icsys.icn.exe	explorer.exe
PID 3708 wrote to memory of 4428	3708	iauwp.exe	iauwp.exe
PID 3708 wrote to memory of 4428	3708	iauwp.exe	iauwp.exe
PID 3708 wrote to memory of 4428	3708	iauwp.exe	iauwp.exe
PID 3708 wrote to memory of 4748	3708	iauwp.exe	iauwp.exe
PID 3708 wrote to memory of 4748	3708	iauwp.exe	iauwp.exe
PID 3708 wrote to memory of 4748	3708	iauwp.exe	iauwp.exe
PID 3708 wrote to memory of 4748	3708	iauwp.exe	iauwp.exe
PID 4180 wrote to memory of 4652	4180	explorer.exe	spoolsv.exe
PID 4180 wrote to memory of 4652	4180	explorer.exe	spoolsv.exe
PID 4180 wrote to memory of 4652	4180	explorer.exe	spoolsv.exe
PID 4652 wrote to memory of 1276	4652	spoolsv.exe	svchost.exe
PID 4652 wrote to memory of 1276	4652	spoolsv.exe	svchost.exe
PID 4652 wrote to memory of 1276	4652	spoolsv.exe	svchost.exe
PID 1276 wrote to memory of 616	1276	svchost.exe	spoolsv.exe
PID 1276 wrote to memory of 616	1276	svchost.exe	spoolsv.exe
PID 1276 wrote to memory of 616	1276	svchost.exe	spoolsv.exe
PID 1276 wrote to memory of 3472	1276	svchost.exe	at.exe
PID 1276 wrote to memory of 3472	1276	svchost.exe	at.exe
PID 1276 wrote to memory of 3472	1276	svchost.exe	at.exe
PID 1276 wrote to memory of 1296	1276	svchost.exe	at.exe
PID 1276 wrote to memory of 1296	1276	svchost.exe	at.exe
PID 1276 wrote to memory of 1296	1276	svchost.exe	at.exe
PID 1276 wrote to memory of 2268	1276	svchost.exe	at.exe
PID 1276 wrote to memory of 2268	1276	svchost.exe	at.exe
PID 1276 wrote to memory of 2268	1276	svchost.exe	at.exe
PID 1276 wrote to memory of 4980	1276	svchost.exe	at.exe
PID 1276 wrote to memory of 4980	1276	svchost.exe	at.exe
PID 1276 wrote to memory of 4980	1276	svchost.exe	at.exe
PID 1276 wrote to memory of 2264	1276	svchost.exe	at.exe
PID 1276 wrote to memory of 2264	1276	svchost.exe	at.exe
PID 1276 wrote to memory of 2264	1276	svchost.exe	at.exe
PID 1276 wrote to memory of 4476	1276	svchost.exe	at.exe
PID 1276 wrote to memory of 4476	1276	svchost.exe	at.exe
PID 1276 wrote to memory of 4476	1276	svchost.exe	at.exe
PID 1276 wrote to memory of 4844	1276	svchost.exe	at.exe
PID 1276 wrote to memory of 4844	1276	svchost.exe	at.exe
PID 1276 wrote to memory of 4844	1276	svchost.exe	at.exe
PID 1276 wrote to memory of 1848	1276	svchost.exe	at.exe
PID 1276 wrote to memory of 1848	1276	svchost.exe	at.exe
PID 1276 wrote to memory of 1848	1276	svchost.exe	at.exe
PID 1276 wrote to memory of 1692	1276	svchost.exe	at.exe
PID 1276 wrote to memory of 1692	1276	svchost.exe	at.exe
PID 1276 wrote to memory of 1692	1276	svchost.exe	at.exe
PID 1276 wrote to memory of 32	1276	svchost.exe	at.exe
PID 1276 wrote to memory of 32	1276	svchost.exe	at.exe
PID 1276 wrote to memory of 32	1276	svchost.exe	at.exe

outlook_office_path 1 IoCs

Processes:

iauwp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	iauwp.exe

outlook_win_path 1 IoCs

Processes:

iauwp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	iauwp.exe

C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20230129_075423_612150o.pdf..exe
"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20230129_075423_612150o.pdf..exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3504

\??\c:\users\admin\appdata\local\temp\halkbank_ekstre_20230129_075423_612150o.pdf..exe
c:\users\admin\appdata\local\temp\halkbank_ekstre_20230129_075423_612150o.pdf..exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020

C:\Users\Admin\AppData\Local\Temp\iauwp.exe
"C:\Users\Admin\AppData\Local\Temp\iauwp.exe" C:\Users\Admin\AppData\Local\Temp\iqvpwdmb.c
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3708

C:\Users\Admin\AppData\Local\Temp\iauwp.exe
"C:\Users\Admin\AppData\Local\Temp\iauwp.exe"
4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4748

C:\Users\Admin\AppData\Local\Temp\iauwp.exe
"C:\Users\Admin\AppData\Local\Temp\iauwp.exe"
4⤵
- Executes dropped EXE
PID:4428

C:\Users\Admin\AppData\Local\icsys.icn.exe
C:\Users\Admin\AppData\Local\icsys.icn.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4060

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4652

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:616

C:\Windows\SysWOW64\at.exe
at 17:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:3472

C:\Windows\SysWOW64\at.exe
at 17:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:1296

C:\Windows\SysWOW64\at.exe
at 17:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:2268

C:\Windows\SysWOW64\at.exe
at 17:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:4980

C:\Windows\SysWOW64\at.exe
at 17:08 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:2264

C:\Windows\SysWOW64\at.exe
at 17:09 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:4476

C:\Windows\SysWOW64\at.exe
at 17:10 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:4844

C:\Windows\SysWOW64\at.exe
at 17:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:1848

C:\Windows\SysWOW64\at.exe
at 17:12 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:1692

C:\Windows\SysWOW64\at.exe
at 17:13 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:32

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\halkbank_ekstre_20230129_075423_612150o.pdf..exe
Filesize
187KB

MD5
c742b622a88a10779fe1673d751dc622

SHA1
2e1de5d8dbe6ade1af87ce06c31172d8c0a9baa8

SHA256
480fb8507176e7ab166f14cdc41e7d2d887555a8327800e989a5b07ec4ac7a2b

SHA512
c639ad738805b21617169a34da91fbba7a2b3a296e87cde799c2bda0f169742e8842160dd2bb89da37cdecdd2b17713165e33383e9f92179f5df2624c9bb4e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\iauwp.exe
Filesize
80KB

MD5
82d9274bf661ed3fdb3d7e7d66efb9ba

SHA1
5f98a0699b92d2db63e4baa3c71920561bc49838

SHA256
306c0a2b8efa7c76f69246bed00e98b1d8c012446abdf48f650d9d7343562c34

SHA512
caf704dc43e4976a15a0bccb3ac6a7501d07c6d3855b6b3a1c9a69e1a6e3402548d61119229cdb34526a574cb44b988ac409155e1e308cf87112590aa10228f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\iauwp.exe
Filesize
80KB

MD5
82d9274bf661ed3fdb3d7e7d66efb9ba

SHA1
5f98a0699b92d2db63e4baa3c71920561bc49838

SHA256
306c0a2b8efa7c76f69246bed00e98b1d8c012446abdf48f650d9d7343562c34

SHA512
caf704dc43e4976a15a0bccb3ac6a7501d07c6d3855b6b3a1c9a69e1a6e3402548d61119229cdb34526a574cb44b988ac409155e1e308cf87112590aa10228f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\iauwp.exe
Filesize
80KB

MD5
82d9274bf661ed3fdb3d7e7d66efb9ba

SHA1
5f98a0699b92d2db63e4baa3c71920561bc49838

SHA256
306c0a2b8efa7c76f69246bed00e98b1d8c012446abdf48f650d9d7343562c34

SHA512
caf704dc43e4976a15a0bccb3ac6a7501d07c6d3855b6b3a1c9a69e1a6e3402548d61119229cdb34526a574cb44b988ac409155e1e308cf87112590aa10228f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\iauwp.exe
Filesize
80KB

MD5
82d9274bf661ed3fdb3d7e7d66efb9ba

SHA1
5f98a0699b92d2db63e4baa3c71920561bc49838

SHA256
306c0a2b8efa7c76f69246bed00e98b1d8c012446abdf48f650d9d7343562c34

SHA512
caf704dc43e4976a15a0bccb3ac6a7501d07c6d3855b6b3a1c9a69e1a6e3402548d61119229cdb34526a574cb44b988ac409155e1e308cf87112590aa10228f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqvpwdmb.c
Filesize
6KB

MD5
2dc8af96232838d201200a49b0efa632

SHA1
50bc216ff603fdfefbf0ab04ff7ffea362278eb7

SHA256
493f4e6b0acc7d4fe146d28857a37873ddaff27dba8b2491b4352db9a0eb9043

SHA512
972be1e52ce1f83f414cf3eee27887eb8ccc294f08ca628300236c0147735bdec3e75ed50c313eba20536e51e3485d303a0495ee8caae8dc548ecbc438ff818c

Download Submit
C:\Users\Admin\AppData\Local\Temp\robdkcso.dju
Filesize
104KB

MD5
c4a8e79b487d9f5076ba9235f17e7547

SHA1
1bf348776f2b90901abfaa9175a6effb4cd5954c

SHA256
b0fa484010127572ef9d688662423a027031012298d8da401597243fdcf54bd9

SHA512
d6543cae79e376e690225b3f0b1d3549c84d6c3eec2a8110186cc1e475640b0dd10b87421f8f40680f88210b4dd3d30a6b12c3398946c9245ab83e0848212d78

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe
Filesize
274KB

MD5
7bca1694aa035681f0ebd2b4f1ff1835

SHA1
c88a597f9beb5ce96708fa79ff1fd7d4a73b1582

SHA256
ee6f10c71ff99a3d2fea29a9992a8e30b8dd05acf7923d5072ecff6cad23d225

SHA512
aa934486b3b68041ffc09f87b65c548bda122966b58ae0f9d68bbbdbbb2d17c543e51a9545ad09eff30b65459e99446bb066d2ea556de27cc25206ea1b07d185

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe
Filesize
274KB

MD5
7bca1694aa035681f0ebd2b4f1ff1835

SHA1
c88a597f9beb5ce96708fa79ff1fd7d4a73b1582

SHA256
ee6f10c71ff99a3d2fea29a9992a8e30b8dd05acf7923d5072ecff6cad23d225

SHA512
aa934486b3b68041ffc09f87b65c548bda122966b58ae0f9d68bbbdbbb2d17c543e51a9545ad09eff30b65459e99446bb066d2ea556de27cc25206ea1b07d185

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe
Filesize
274KB

MD5
b0ac204533d17b8f08d93d1d715f19fd

SHA1
249f4b8922452a44561bac0ddb491872cfa773bc

SHA256
2dc2f8d53db29124ac636265bf45320c15c6c2037af22ec179170485e5a7940b

SHA512
231e103353b35df55685458a6d56402aa983c0050c670f8ffd6c9d59f8a261aa15a92e8ebb2d2e2af5233baa86ae71febcce2650e919aeca20d0c757267ed301

Download Submit
C:\Windows\System\explorer.exe
Filesize
274KB

MD5
582e8c032f5a532475bad0eb4816f2ca

SHA1
e4c16d1c7a2decdb99ebd7d7993ddac3e386132d

SHA256
a3acca53015ce670397b8479c20d42474eecea8d290b52a44f73ce5e45a77e15

SHA512
7dd21c6cd08c1c2023c8e8ca1f0835145f55923625030980e82de520e3a25568342248c3534725050737a5d6f64127c7b2f612d2395555d1798a02850c5ddf2a

Download Submit
C:\Windows\System\spoolsv.exe
Filesize
274KB

MD5
7e88d85a21b15a2914d11a2a646d0f5f

SHA1
0318edbe628760d25f47afefb5caaf7cecb905cd

SHA256
e1f699aebc0fc76e0db04267dd37ab809c86951837141eea321bf71148983587

SHA512
954a82fb0d6d3a87e489fd0d72de55b7641f349b74ae56b1737ce0f00800ee88944c9fffaf4033677aeea85044025ef16bbab302c366fa0e11c1d7c687c407d6

Download Submit
C:\Windows\System\spoolsv.exe
Filesize
274KB

MD5
7e88d85a21b15a2914d11a2a646d0f5f

SHA1
0318edbe628760d25f47afefb5caaf7cecb905cd

SHA256
e1f699aebc0fc76e0db04267dd37ab809c86951837141eea321bf71148983587

SHA512
954a82fb0d6d3a87e489fd0d72de55b7641f349b74ae56b1737ce0f00800ee88944c9fffaf4033677aeea85044025ef16bbab302c366fa0e11c1d7c687c407d6

Download Submit
C:\Windows\System\svchost.exe
Filesize
274KB

MD5
f09b4f5f65705042c86b16837a746098

SHA1
5fa707fc8084783078b789fb9333f4787c1751ca

SHA256
959a6a7b24d5d37b2195d6cff717eab1ad1fba1e29b13eafee302bd0a9ff4723

SHA512
a80db9264536118ba37d29ec846c6d634897ec081bd3f86e556ecbc747f7caacff1d616ccd9a24fd57d04b6922abda293e72777cf324eabde1634eb4cbe97f9a

Download Submit
\??\c:\users\admin\appdata\local\temp\halkbank_ekstre_20230129_075423_612150o.pdf..exe
Filesize
187KB

MD5
c742b622a88a10779fe1673d751dc622

SHA1
2e1de5d8dbe6ade1af87ce06c31172d8c0a9baa8

SHA256
480fb8507176e7ab166f14cdc41e7d2d887555a8327800e989a5b07ec4ac7a2b

SHA512
c639ad738805b21617169a34da91fbba7a2b3a296e87cde799c2bda0f169742e8842160dd2bb89da37cdecdd2b17713165e33383e9f92179f5df2624c9bb4e96

Download Submit
\??\c:\windows\system\explorer.exe
Filesize
274KB

MD5
582e8c032f5a532475bad0eb4816f2ca

SHA1
e4c16d1c7a2decdb99ebd7d7993ddac3e386132d

SHA256
a3acca53015ce670397b8479c20d42474eecea8d290b52a44f73ce5e45a77e15

SHA512
7dd21c6cd08c1c2023c8e8ca1f0835145f55923625030980e82de520e3a25568342248c3534725050737a5d6f64127c7b2f612d2395555d1798a02850c5ddf2a

Download Submit
\??\c:\windows\system\spoolsv.exe
Filesize
274KB

MD5
7e88d85a21b15a2914d11a2a646d0f5f

SHA1
0318edbe628760d25f47afefb5caaf7cecb905cd

SHA256
e1f699aebc0fc76e0db04267dd37ab809c86951837141eea321bf71148983587

SHA512
954a82fb0d6d3a87e489fd0d72de55b7641f349b74ae56b1737ce0f00800ee88944c9fffaf4033677aeea85044025ef16bbab302c366fa0e11c1d7c687c407d6

Download Submit
\??\c:\windows\system\svchost.exe
Filesize
274KB

MD5
f09b4f5f65705042c86b16837a746098

SHA1
5fa707fc8084783078b789fb9333f4787c1751ca

SHA256
959a6a7b24d5d37b2195d6cff717eab1ad1fba1e29b13eafee302bd0a9ff4723

SHA512
a80db9264536118ba37d29ec846c6d634897ec081bd3f86e556ecbc747f7caacff1d616ccd9a24fd57d04b6922abda293e72777cf324eabde1634eb4cbe97f9a

Download Submit
memory/32-753-0x0000000000000000-mapping.dmp

Download
memory/616-508-0x0000000000000000-mapping.dmp

Download
memory/616-554-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1276-444-0x0000000000000000-mapping.dmp

Download
memory/1276-612-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1296-591-0x0000000000000000-mapping.dmp

Download
memory/1692-733-0x0000000000000000-mapping.dmp

Download
memory/1848-713-0x0000000000000000-mapping.dmp

Download
memory/2264-653-0x0000000000000000-mapping.dmp

Download
memory/2268-613-0x0000000000000000-mapping.dmp

Download
memory/3020-162-0x0000000000000000-mapping.dmp

Download
memory/3020-167-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3020-176-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3020-177-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3020-178-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3020-179-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3020-186-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3020-185-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3020-184-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3020-183-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3020-182-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3020-181-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3020-180-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3020-170-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3020-169-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3020-164-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3020-166-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3020-165-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3020-168-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3020-171-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3020-172-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3020-173-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3020-174-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3020-175-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-560-0x0000000000000000-mapping.dmp

Download
memory/3504-129-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-148-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-161-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-117-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-155-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-157-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-159-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-160-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-158-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-156-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-154-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-152-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-151-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-150-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-144-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-143-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-118-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-119-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-140-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-120-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-142-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-141-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-139-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-121-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-137-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-138-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-136-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-135-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-134-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-122-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-123-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-133-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-132-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3504-124-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-131-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-145-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-567-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3504-130-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-125-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-126-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-147-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-128-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-127-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3708-212-0x0000000000000000-mapping.dmp

Download
memory/4060-564-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4060-220-0x0000000000000000-mapping.dmp

Download
memory/4060-226-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4180-611-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4180-304-0x0000000000000000-mapping.dmp

Download
memory/4476-673-0x0000000000000000-mapping.dmp

Download
memory/4652-364-0x0000000000000000-mapping.dmp

Download
memory/4652-558-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4748-438-0x0000000002E10000-0x0000000002E36000-memory.dmp

Filesize
152KB

Download
memory/4748-351-0x0000000000438680-mapping.dmp

Download
memory/4748-590-0x0000000006390000-0x000000000639A000-memory.dmp

Filesize
40KB

Download
memory/4748-586-0x00000000063E0000-0x0000000006472000-memory.dmp

Filesize
584KB

Download
memory/4748-585-0x0000000006510000-0x00000000066D2000-memory.dmp

Filesize
1.8MB

Download
memory/4748-447-0x0000000005870000-0x0000000005D6E000-memory.dmp

Filesize
5.0MB

Download
memory/4748-452-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4748-454-0x0000000005420000-0x00000000054BC000-memory.dmp

Filesize
624KB

Download
memory/4844-693-0x0000000000000000-mapping.dmp

Download
memory/4980-633-0x0000000000000000-mapping.dmp

Download