snakekeylogger | c99b050645ebbc138018a9dcb4c3029bc1a9aa9376e7541c1011e815942948e1

Resubmissions

01-02-2023 17:02

230201-vj6p3aah39 10

01-02-2023 17:00

230201-vjf5eacg4s 10

01-02-2023 16:57

230201-vgbrxacg2y 10

Analysis

max time kernel
600s
max time network
512s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2023 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Halkbank_Ekstre_20230129_075423_612150o.pdf..exe
Size

461KB
MD5

51505dd088beb3a3406dab4bcfc0090b
SHA1

7efb628f6b348b0f19360241f3f0661419617bc7
SHA256

5f16e8c1fef7f5f311b814b10f7b9e9b1ec3c204075fb8bb48ac207e256ea208
SHA512

dc05dc73895114c6025c986d696a3a6044c26f2e6e2c5863c33a7806461033f99ae2dbae153cdf1c1d2b93ee9686bddf98d2b58759e13aef923dbf0635e3166c
SSDEEP

12288:GENN+T5xYrllrU7QY62YrTNbwcD/xtDmpfJuB3:K5xolYQY62YrZ0nfs5

Score

10^/10

snakekeylogger collection evasion keylogger persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

Processes:

resource	yara_rule
behavioral12/memory/4328-187-0x0000000000400000-0x000000000043A000-memory.dmp	family_snakekeylogger

Executes dropped EXE 8 IoCs

Processes:

halkbank_ekstre_20230129_075423_612150o.pdf..exe iauwp.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeiauwp.exe

pid	process
4764	halkbank_ekstre_20230129_075423_612150o.pdf..exe
1256	iauwp.exe
4276	icsys.icn.exe
4576	explorer.exe
4612	spoolsv.exe
540	svchost.exe
400	spoolsv.exe
4328	iauwp.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral12/memory/4328-187-0x0000000000400000-0x000000000043A000-memory.dmp	upx

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

iauwp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	iauwp.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	iauwp.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	iauwp.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

iauwp.exe

description pid process target process

PID 1256 set thread context of 4328 1256 iauwp.exe iauwp.exe

flow	ioc
3	checkip.dyndns.org

description	pid	process	target process
PID 1256 set thread context of 4328	1256	iauwp.exe	iauwp.exe

Drops file in Windows directory 6 IoCs

Processes:

explorer.exespoolsv.exesvchost.exeicsys.icn.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

icsys.icn.exeexplorer.exesvchost.exeiauwp.exe

pid	process
4276	icsys.icn.exe
4276	icsys.icn.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
4576	explorer.exe
4576	explorer.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
4576	explorer.exe
4576	explorer.exe
4328	iauwp.exe
4576	explorer.exe
540	svchost.exe
4576	explorer.exe
540	svchost.exe
540	svchost.exe
4576	explorer.exe
540	svchost.exe
4576	explorer.exe
540	svchost.exe
4576	explorer.exe
540	svchost.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
4576	explorer.exe
540	svchost.exe
4576	explorer.exe
540	svchost.exe
4576	explorer.exe
540	svchost.exe
4576	explorer.exe
540	svchost.exe
4576	explorer.exe
540	svchost.exe
4576	explorer.exe
4576	explorer.exe
540	svchost.exe
4576	explorer.exe
540	svchost.exe
4576	explorer.exe
540	svchost.exe
4576	explorer.exe
540	svchost.exe
540	svchost.exe
4576	explorer.exe
4576	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

4576 explorer.exe
540 svchost.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

iauwp.exe

pid process

1256 iauwp.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

iauwp.exe

description pid process

Token: SeDebugPrivilege 4328 iauwp.exe

pid	process
4576	explorer.exe
540	svchost.exe

pid	process
1256	iauwp.exe

description	pid	process
Token: SeDebugPrivilege	4328	iauwp.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

Halkbank_Ekstre_20230129_075423_612150o.pdf..exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
4876	Halkbank_Ekstre_20230129_075423_612150o.pdf..exe
4876	Halkbank_Ekstre_20230129_075423_612150o.pdf..exe
4276	icsys.icn.exe
4276	icsys.icn.exe
4576	explorer.exe
4576	explorer.exe
4612	spoolsv.exe
4612	spoolsv.exe
540	svchost.exe
540	svchost.exe
400	spoolsv.exe
400	spoolsv.exe
4576	explorer.exe
4576	explorer.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

Halkbank_Ekstre_20230129_075423_612150o.pdf..exehalkbank_ekstre_20230129_075423_612150o.pdf..exe icsys.icn.exeexplorer.exespoolsv.exeiauwp.exesvchost.exe

description	pid	process	target process
PID 4876 wrote to memory of 4764	4876	Halkbank_Ekstre_20230129_075423_612150o.pdf..exe	halkbank_ekstre_20230129_075423_612150o.pdf..exe
PID 4876 wrote to memory of 4764	4876	Halkbank_Ekstre_20230129_075423_612150o.pdf..exe	halkbank_ekstre_20230129_075423_612150o.pdf..exe
PID 4876 wrote to memory of 4764	4876	Halkbank_Ekstre_20230129_075423_612150o.pdf..exe	halkbank_ekstre_20230129_075423_612150o.pdf..exe
PID 4764 wrote to memory of 1256	4764	halkbank_ekstre_20230129_075423_612150o.pdf..exe	iauwp.exe
PID 4764 wrote to memory of 1256	4764	halkbank_ekstre_20230129_075423_612150o.pdf..exe	iauwp.exe
PID 4764 wrote to memory of 1256	4764	halkbank_ekstre_20230129_075423_612150o.pdf..exe	iauwp.exe
PID 4876 wrote to memory of 4276	4876	Halkbank_Ekstre_20230129_075423_612150o.pdf..exe	icsys.icn.exe
PID 4876 wrote to memory of 4276	4876	Halkbank_Ekstre_20230129_075423_612150o.pdf..exe	icsys.icn.exe
PID 4876 wrote to memory of 4276	4876	Halkbank_Ekstre_20230129_075423_612150o.pdf..exe	icsys.icn.exe
PID 4276 wrote to memory of 4576	4276	icsys.icn.exe	explorer.exe
PID 4276 wrote to memory of 4576	4276	icsys.icn.exe	explorer.exe
PID 4276 wrote to memory of 4576	4276	icsys.icn.exe	explorer.exe
PID 4576 wrote to memory of 4612	4576	explorer.exe	spoolsv.exe
PID 4576 wrote to memory of 4612	4576	explorer.exe	spoolsv.exe
PID 4576 wrote to memory of 4612	4576	explorer.exe	spoolsv.exe
PID 4612 wrote to memory of 540	4612	spoolsv.exe	svchost.exe
PID 4612 wrote to memory of 540	4612	spoolsv.exe	svchost.exe
PID 4612 wrote to memory of 540	4612	spoolsv.exe	svchost.exe
PID 1256 wrote to memory of 4328	1256	iauwp.exe	iauwp.exe
PID 1256 wrote to memory of 4328	1256	iauwp.exe	iauwp.exe
PID 1256 wrote to memory of 4328	1256	iauwp.exe	iauwp.exe
PID 540 wrote to memory of 400	540	svchost.exe	spoolsv.exe
PID 540 wrote to memory of 400	540	svchost.exe	spoolsv.exe
PID 540 wrote to memory of 400	540	svchost.exe	spoolsv.exe
PID 1256 wrote to memory of 4328	1256	iauwp.exe	iauwp.exe
PID 540 wrote to memory of 4820	540	svchost.exe	at.exe
PID 540 wrote to memory of 4820	540	svchost.exe	at.exe
PID 540 wrote to memory of 4820	540	svchost.exe	at.exe
PID 540 wrote to memory of 1268	540	svchost.exe	at.exe
PID 540 wrote to memory of 1268	540	svchost.exe	at.exe
PID 540 wrote to memory of 1268	540	svchost.exe	at.exe
PID 540 wrote to memory of 3256	540	svchost.exe	at.exe
PID 540 wrote to memory of 3256	540	svchost.exe	at.exe
PID 540 wrote to memory of 3256	540	svchost.exe	at.exe
PID 540 wrote to memory of 4248	540	svchost.exe	at.exe
PID 540 wrote to memory of 4248	540	svchost.exe	at.exe
PID 540 wrote to memory of 4248	540	svchost.exe	at.exe
PID 540 wrote to memory of 4908	540	svchost.exe	at.exe
PID 540 wrote to memory of 4908	540	svchost.exe	at.exe
PID 540 wrote to memory of 4908	540	svchost.exe	at.exe
PID 540 wrote to memory of 4840	540	svchost.exe	at.exe
PID 540 wrote to memory of 4840	540	svchost.exe	at.exe
PID 540 wrote to memory of 4840	540	svchost.exe	at.exe
PID 540 wrote to memory of 1648	540	svchost.exe	at.exe
PID 540 wrote to memory of 1648	540	svchost.exe	at.exe
PID 540 wrote to memory of 1648	540	svchost.exe	at.exe
PID 540 wrote to memory of 876	540	svchost.exe	at.exe
PID 540 wrote to memory of 876	540	svchost.exe	at.exe
PID 540 wrote to memory of 876	540	svchost.exe	at.exe
PID 540 wrote to memory of 1804	540	svchost.exe	at.exe
PID 540 wrote to memory of 1804	540	svchost.exe	at.exe
PID 540 wrote to memory of 1804	540	svchost.exe	at.exe
PID 540 wrote to memory of 3848	540	svchost.exe	at.exe
PID 540 wrote to memory of 3848	540	svchost.exe	at.exe
PID 540 wrote to memory of 3848	540	svchost.exe	at.exe

outlook_office_path 1 IoCs

Processes:

iauwp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	iauwp.exe

outlook_win_path 1 IoCs

Processes:

iauwp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	iauwp.exe

C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20230129_075423_612150o.pdf..exe
"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20230129_075423_612150o.pdf..exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4876

\??\c:\users\admin\appdata\local\temp\halkbank_ekstre_20230129_075423_612150o.pdf..exe
c:\users\admin\appdata\local\temp\halkbank_ekstre_20230129_075423_612150o.pdf..exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764

C:\Users\Admin\AppData\Local\Temp\iauwp.exe
"C:\Users\Admin\AppData\Local\Temp\iauwp.exe" C:\Users\Admin\AppData\Local\Temp\iqvpwdmb.c
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Local\Temp\iauwp.exe
"C:\Users\Admin\AppData\Local\Temp\iauwp.exe"
4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4328

C:\Users\Admin\AppData\Local\icsys.icn.exe
C:\Users\Admin\AppData\Local\icsys.icn.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4276

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4612

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:400

C:\Windows\SysWOW64\at.exe
at 18:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:4820

C:\Windows\SysWOW64\at.exe
at 18:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:1268

C:\Windows\SysWOW64\at.exe
at 18:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:3256

C:\Windows\SysWOW64\at.exe
at 18:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:4248

C:\Windows\SysWOW64\at.exe
at 18:08 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:4908

C:\Windows\SysWOW64\at.exe
at 18:09 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:4840

C:\Windows\SysWOW64\at.exe
at 18:10 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:1648

C:\Windows\SysWOW64\at.exe
at 18:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:876

C:\Windows\SysWOW64\at.exe
at 18:12 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:1804

C:\Windows\SysWOW64\at.exe
at 18:13 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:3848

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\halkbank_ekstre_20230129_075423_612150o.pdf..exe
Filesize
187KB

MD5
c742b622a88a10779fe1673d751dc622

SHA1
2e1de5d8dbe6ade1af87ce06c31172d8c0a9baa8

SHA256
480fb8507176e7ab166f14cdc41e7d2d887555a8327800e989a5b07ec4ac7a2b

SHA512
c639ad738805b21617169a34da91fbba7a2b3a296e87cde799c2bda0f169742e8842160dd2bb89da37cdecdd2b17713165e33383e9f92179f5df2624c9bb4e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\iauwp.exe
Filesize
80KB

MD5
82d9274bf661ed3fdb3d7e7d66efb9ba

SHA1
5f98a0699b92d2db63e4baa3c71920561bc49838

SHA256
306c0a2b8efa7c76f69246bed00e98b1d8c012446abdf48f650d9d7343562c34

SHA512
caf704dc43e4976a15a0bccb3ac6a7501d07c6d3855b6b3a1c9a69e1a6e3402548d61119229cdb34526a574cb44b988ac409155e1e308cf87112590aa10228f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\iauwp.exe
Filesize
80KB

MD5
82d9274bf661ed3fdb3d7e7d66efb9ba

SHA1
5f98a0699b92d2db63e4baa3c71920561bc49838

SHA256
306c0a2b8efa7c76f69246bed00e98b1d8c012446abdf48f650d9d7343562c34

SHA512
caf704dc43e4976a15a0bccb3ac6a7501d07c6d3855b6b3a1c9a69e1a6e3402548d61119229cdb34526a574cb44b988ac409155e1e308cf87112590aa10228f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\iauwp.exe
Filesize
80KB

MD5
82d9274bf661ed3fdb3d7e7d66efb9ba

SHA1
5f98a0699b92d2db63e4baa3c71920561bc49838

SHA256
306c0a2b8efa7c76f69246bed00e98b1d8c012446abdf48f650d9d7343562c34

SHA512
caf704dc43e4976a15a0bccb3ac6a7501d07c6d3855b6b3a1c9a69e1a6e3402548d61119229cdb34526a574cb44b988ac409155e1e308cf87112590aa10228f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqvpwdmb.c
Filesize
6KB

MD5
2dc8af96232838d201200a49b0efa632

SHA1
50bc216ff603fdfefbf0ab04ff7ffea362278eb7

SHA256
493f4e6b0acc7d4fe146d28857a37873ddaff27dba8b2491b4352db9a0eb9043

SHA512
972be1e52ce1f83f414cf3eee27887eb8ccc294f08ca628300236c0147735bdec3e75ed50c313eba20536e51e3485d303a0495ee8caae8dc548ecbc438ff818c

Download Submit
C:\Users\Admin\AppData\Local\Temp\robdkcso.dju
Filesize
104KB

MD5
c4a8e79b487d9f5076ba9235f17e7547

SHA1
1bf348776f2b90901abfaa9175a6effb4cd5954c

SHA256
b0fa484010127572ef9d688662423a027031012298d8da401597243fdcf54bd9

SHA512
d6543cae79e376e690225b3f0b1d3549c84d6c3eec2a8110186cc1e475640b0dd10b87421f8f40680f88210b4dd3d30a6b12c3398946c9245ab83e0848212d78

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe
Filesize
274KB

MD5
7bca1694aa035681f0ebd2b4f1ff1835

SHA1
c88a597f9beb5ce96708fa79ff1fd7d4a73b1582

SHA256
ee6f10c71ff99a3d2fea29a9992a8e30b8dd05acf7923d5072ecff6cad23d225

SHA512
aa934486b3b68041ffc09f87b65c548bda122966b58ae0f9d68bbbdbbb2d17c543e51a9545ad09eff30b65459e99446bb066d2ea556de27cc25206ea1b07d185

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe
Filesize
274KB

MD5
7bca1694aa035681f0ebd2b4f1ff1835

SHA1
c88a597f9beb5ce96708fa79ff1fd7d4a73b1582

SHA256
ee6f10c71ff99a3d2fea29a9992a8e30b8dd05acf7923d5072ecff6cad23d225

SHA512
aa934486b3b68041ffc09f87b65c548bda122966b58ae0f9d68bbbdbbb2d17c543e51a9545ad09eff30b65459e99446bb066d2ea556de27cc25206ea1b07d185

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe
Filesize
274KB

MD5
63c717ce8ada6566c353fe34b0ecf30b

SHA1
d8d442fdcfa83c0b18fa8a51a0798d9ea791931c

SHA256
16b7242428482f09e57c428733f6cb91f7789a3083b81f8bec2eca9410aae8b5

SHA512
0b2a87e50705ab87cf5e6839fdb19d97b5922277c3e294441f7e82361d630cc5c073b36af65fcd9d41e9ba7dfc3725fba81f6adbdfc9394d0db072821cc5aede

Download Submit
C:\Windows\System\explorer.exe
Filesize
274KB

MD5
8836959724d810a8c00bd871c6f63e78

SHA1
01cb50e501722050a78f0168344bd4d981a83197

SHA256
447c3f889a61f297e41fd8590d4f959b285733d1c3d67d30a6f46e04ce11deba

SHA512
931f983e7a56f5e3bf5e232d987cfe3246ed97c8b8ef3d3068655ce24e7d6ab9046d47189d9630218df21827fd17b280ec98dbfd552ed9dfa3607a771f306d49

Download Submit
C:\Windows\System\spoolsv.exe
Filesize
274KB

MD5
04f0526d5f15d57319c5c98e2e9a07ce

SHA1
162173ecee9a5ef0f141f00ff00e9646a5ccaf9d

SHA256
55c21d7f7d35fd424b3dbe1def666abd66be8cd53f11f87b8ad4877d895341b2

SHA512
bd504d3bda57fa18abf697d88998ef6bbb55ef3b920ca8858c45910295e008c7a00e2a10796f3a4c5c12eec5613ffa27b1189d655f5da9e4d1ec942cde0358f5

Download Submit
C:\Windows\System\spoolsv.exe
Filesize
274KB

MD5
04f0526d5f15d57319c5c98e2e9a07ce

SHA1
162173ecee9a5ef0f141f00ff00e9646a5ccaf9d

SHA256
55c21d7f7d35fd424b3dbe1def666abd66be8cd53f11f87b8ad4877d895341b2

SHA512
bd504d3bda57fa18abf697d88998ef6bbb55ef3b920ca8858c45910295e008c7a00e2a10796f3a4c5c12eec5613ffa27b1189d655f5da9e4d1ec942cde0358f5

Download Submit
C:\Windows\System\svchost.exe
Filesize
274KB

MD5
c10f6c20be07d7630a6b1dc6b0dfab47

SHA1
1bda4b0bbf42e3b80ca60d327ca6a879e3b50009

SHA256
2df15d70dc2d77d5304efe10f6197056591efaacd746b3df12dd88dec26cdd15

SHA512
3317daecb587693ac75a10220737ae75cec470e59b4e079c621617a3edec3a920d6073f561e6a25c648f78cc6e7b3637db5194c6ec04f0a9d73b2709d153218b

Download Submit
\??\PIPE\atsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\users\admin\appdata\local\temp\halkbank_ekstre_20230129_075423_612150o.pdf..exe
Filesize
187KB

MD5
c742b622a88a10779fe1673d751dc622

SHA1
2e1de5d8dbe6ade1af87ce06c31172d8c0a9baa8

SHA256
480fb8507176e7ab166f14cdc41e7d2d887555a8327800e989a5b07ec4ac7a2b

SHA512
c639ad738805b21617169a34da91fbba7a2b3a296e87cde799c2bda0f169742e8842160dd2bb89da37cdecdd2b17713165e33383e9f92179f5df2624c9bb4e96

Download Submit
\??\c:\windows\system\explorer.exe
Filesize
274KB

MD5
8836959724d810a8c00bd871c6f63e78

SHA1
01cb50e501722050a78f0168344bd4d981a83197

SHA256
447c3f889a61f297e41fd8590d4f959b285733d1c3d67d30a6f46e04ce11deba

SHA512
931f983e7a56f5e3bf5e232d987cfe3246ed97c8b8ef3d3068655ce24e7d6ab9046d47189d9630218df21827fd17b280ec98dbfd552ed9dfa3607a771f306d49

Download Submit
\??\c:\windows\system\spoolsv.exe
Filesize
274KB

MD5
04f0526d5f15d57319c5c98e2e9a07ce

SHA1
162173ecee9a5ef0f141f00ff00e9646a5ccaf9d

SHA256
55c21d7f7d35fd424b3dbe1def666abd66be8cd53f11f87b8ad4877d895341b2

SHA512
bd504d3bda57fa18abf697d88998ef6bbb55ef3b920ca8858c45910295e008c7a00e2a10796f3a4c5c12eec5613ffa27b1189d655f5da9e4d1ec942cde0358f5

Download Submit
\??\c:\windows\system\svchost.exe
Filesize
274KB

MD5
c10f6c20be07d7630a6b1dc6b0dfab47

SHA1
1bda4b0bbf42e3b80ca60d327ca6a879e3b50009

SHA256
2df15d70dc2d77d5304efe10f6197056591efaacd746b3df12dd88dec26cdd15

SHA512
3317daecb587693ac75a10220737ae75cec470e59b4e079c621617a3edec3a920d6073f561e6a25c648f78cc6e7b3637db5194c6ec04f0a9d73b2709d153218b

Download Submit
memory/400-178-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/400-172-0x0000000000000000-mapping.dmp

Download
memory/540-161-0x0000000000000000-mapping.dmp

Download
memory/540-186-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/876-199-0x0000000000000000-mapping.dmp

Download
memory/1256-139-0x0000000000000000-mapping.dmp

Download
memory/1268-191-0x0000000000000000-mapping.dmp

Download
memory/1648-198-0x0000000000000000-mapping.dmp

Download
memory/1804-200-0x0000000000000000-mapping.dmp

Download
memory/3256-193-0x0000000000000000-mapping.dmp

Download
memory/3848-201-0x0000000000000000-mapping.dmp

Download
memory/4248-194-0x0000000000000000-mapping.dmp

Download
memory/4276-142-0x0000000000000000-mapping.dmp

Download
memory/4276-180-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4276-162-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4328-190-0x0000000006180000-0x000000000618A000-memory.dmp

Filesize
40KB

Download
memory/4328-184-0x00000000056D0000-0x0000000005C74000-memory.dmp

Filesize
5.6MB

Download
memory/4328-185-0x0000000005010000-0x00000000050AC000-memory.dmp

Filesize
624KB

Download
memory/4328-171-0x0000000000000000-mapping.dmp

Download
memory/4328-187-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4328-188-0x0000000006310000-0x00000000064D2000-memory.dmp

Filesize
1.8MB

Download
memory/4328-189-0x00000000061E0000-0x0000000006272000-memory.dmp

Filesize
584KB

Download
memory/4576-192-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4576-148-0x0000000000000000-mapping.dmp

Download
memory/4576-163-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4612-168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4612-154-0x0000000000000000-mapping.dmp

Download
memory/4612-179-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4764-136-0x0000000000000000-mapping.dmp

Download
memory/4820-182-0x0000000000000000-mapping.dmp

Download
memory/4840-197-0x0000000000000000-mapping.dmp

Download
memory/4876-132-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4876-181-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4908-195-0x0000000000000000-mapping.dmp

Download