snakekeylogger | c99b050645ebbc138018a9dcb4c3029bc1a9aa9376e7541c1011e815942948e1

Resubmissions

01-02-2023 17:02

230201-vj6p3aah39 10

01-02-2023 17:00

230201-vjf5eacg4s 10

01-02-2023 16:57

230201-vgbrxacg2y 10

Analysis

max time kernel
151s
max time network
129s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01-02-2023 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Halkbank_Ekstre_20230129_075423_612150o.pdf..exe
Size

461KB
MD5

51505dd088beb3a3406dab4bcfc0090b
SHA1

7efb628f6b348b0f19360241f3f0661419617bc7
SHA256

5f16e8c1fef7f5f311b814b10f7b9e9b1ec3c204075fb8bb48ac207e256ea208
SHA512

dc05dc73895114c6025c986d696a3a6044c26f2e6e2c5863c33a7806461033f99ae2dbae153cdf1c1d2b93ee9686bddf98d2b58759e13aef923dbf0635e3166c
SSDEEP

12288:GENN+T5xYrllrU7QY62YrTNbwcD/xtDmpfJuB3:K5xolYQY62YrZ0nfs5

Score

10^/10

snakekeylogger collection evasion keylogger persistence spyware stealer upx

Malware Config

Extracted

Family

snakekeylogger

https://api.telegram.org/bot5801425382:AAG5b4PUEaqNDv5uP9ejZGeIHeuzzOD4IHY/sendMessage?chat_id=5812329204

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 2 IoCs

Processes:

resource	yara_rule
behavioral11/memory/1508-123-0x0000000000440000-0x0000000000466000-memory.dmp	family_snakekeylogger
behavioral11/memory/1508-131-0x0000000000400000-0x000000000043A000-memory.dmp	family_snakekeylogger

Executes dropped EXE 8 IoCs

Processes:

halkbank_ekstre_20230129_075423_612150o.pdf..exe iauwp.exeicsys.icn.exeexplorer.exespoolsv.exeiauwp.exesvchost.exespoolsv.exe

pid	process
1108	halkbank_ekstre_20230129_075423_612150o.pdf..exe
520	iauwp.exe
568	icsys.icn.exe
1764	explorer.exe
1568	spoolsv.exe
1508	iauwp.exe
1652	svchost.exe
796	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral11/memory/1508-131-0x0000000000400000-0x000000000043A000-memory.dmp	upx

Loads dropped DLL 14 IoCs

Processes:

Halkbank_Ekstre_20230129_075423_612150o.pdf..exehalkbank_ekstre_20230129_075423_612150o.pdf..exe icsys.icn.exeexplorer.exeiauwp.exespoolsv.exesvchost.exe

pid	process
1280	Halkbank_Ekstre_20230129_075423_612150o.pdf..exe
1108	halkbank_ekstre_20230129_075423_612150o.pdf..exe
1108	halkbank_ekstre_20230129_075423_612150o.pdf..exe
1280	Halkbank_Ekstre_20230129_075423_612150o.pdf..exe
1280	Halkbank_Ekstre_20230129_075423_612150o.pdf..exe
568	icsys.icn.exe
568	icsys.icn.exe
1764	explorer.exe
1764	explorer.exe
520	iauwp.exe
1568	spoolsv.exe
1568	spoolsv.exe
1652	svchost.exe
1652	svchost.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

iauwp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	iauwp.exe
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	iauwp.exe
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	iauwp.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

iauwp.exe

description pid process target process

PID 520 set thread context of 1508 520 iauwp.exe iauwp.exe

flow	ioc
3	checkip.dyndns.org

description	pid	process	target process
PID 520 set thread context of 1508	520	iauwp.exe	iauwp.exe

Drops file in Windows directory 6 IoCs

Processes:

icsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

icsys.icn.exeexplorer.exeiauwp.exesvchost.exe

pid	process
568	icsys.icn.exe
1764	explorer.exe
1764	explorer.exe
1764	explorer.exe
1508	iauwp.exe
1764	explorer.exe
1652	svchost.exe
1652	svchost.exe
1652	svchost.exe
1764	explorer.exe
1764	explorer.exe
1652	svchost.exe
1652	svchost.exe
1764	explorer.exe
1764	explorer.exe
1652	svchost.exe
1652	svchost.exe
1764	explorer.exe
1764	explorer.exe
1652	svchost.exe
1652	svchost.exe
1764	explorer.exe
1764	explorer.exe
1652	svchost.exe
1652	svchost.exe
1764	explorer.exe
1652	svchost.exe
1764	explorer.exe
1764	explorer.exe
1652	svchost.exe
1764	explorer.exe
1652	svchost.exe
1652	svchost.exe
1764	explorer.exe
1764	explorer.exe
1652	svchost.exe
1764	explorer.exe
1652	svchost.exe
1764	explorer.exe
1652	svchost.exe
1764	explorer.exe
1652	svchost.exe
1764	explorer.exe
1652	svchost.exe
1764	explorer.exe
1652	svchost.exe
1764	explorer.exe
1652	svchost.exe
1764	explorer.exe
1652	svchost.exe
1764	explorer.exe
1652	svchost.exe
1652	svchost.exe
1764	explorer.exe
1764	explorer.exe
1652	svchost.exe
1764	explorer.exe
1652	svchost.exe
1764	explorer.exe
1652	svchost.exe
1764	explorer.exe
1652	svchost.exe
1764	explorer.exe
1652	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

1764 explorer.exe
1652 svchost.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

iauwp.exe

pid process

520 iauwp.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

iauwp.exe

description pid process

Token: SeDebugPrivilege 1508 iauwp.exe

pid	process
1764	explorer.exe
1652	svchost.exe

pid	process
520	iauwp.exe

description	pid	process
Token: SeDebugPrivilege	1508	iauwp.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

Halkbank_Ekstre_20230129_075423_612150o.pdf..exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
1280	Halkbank_Ekstre_20230129_075423_612150o.pdf..exe
1280	Halkbank_Ekstre_20230129_075423_612150o.pdf..exe
568	icsys.icn.exe
568	icsys.icn.exe
1764	explorer.exe
1764	explorer.exe
1568	spoolsv.exe
1568	spoolsv.exe
1652	svchost.exe
1652	svchost.exe
796	spoolsv.exe
796	spoolsv.exe
1764	explorer.exe
1764	explorer.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

Halkbank_Ekstre_20230129_075423_612150o.pdf..exehalkbank_ekstre_20230129_075423_612150o.pdf..exe icsys.icn.exeexplorer.exeiauwp.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 1280 wrote to memory of 1108	1280	Halkbank_Ekstre_20230129_075423_612150o.pdf..exe	halkbank_ekstre_20230129_075423_612150o.pdf..exe
PID 1280 wrote to memory of 1108	1280	Halkbank_Ekstre_20230129_075423_612150o.pdf..exe	halkbank_ekstre_20230129_075423_612150o.pdf..exe
PID 1280 wrote to memory of 1108	1280	Halkbank_Ekstre_20230129_075423_612150o.pdf..exe	halkbank_ekstre_20230129_075423_612150o.pdf..exe
PID 1280 wrote to memory of 1108	1280	Halkbank_Ekstre_20230129_075423_612150o.pdf..exe	halkbank_ekstre_20230129_075423_612150o.pdf..exe
PID 1108 wrote to memory of 520	1108	halkbank_ekstre_20230129_075423_612150o.pdf..exe	iauwp.exe
PID 1108 wrote to memory of 520	1108	halkbank_ekstre_20230129_075423_612150o.pdf..exe	iauwp.exe
PID 1108 wrote to memory of 520	1108	halkbank_ekstre_20230129_075423_612150o.pdf..exe	iauwp.exe
PID 1108 wrote to memory of 520	1108	halkbank_ekstre_20230129_075423_612150o.pdf..exe	iauwp.exe
PID 1280 wrote to memory of 568	1280	Halkbank_Ekstre_20230129_075423_612150o.pdf..exe	icsys.icn.exe
PID 1280 wrote to memory of 568	1280	Halkbank_Ekstre_20230129_075423_612150o.pdf..exe	icsys.icn.exe
PID 1280 wrote to memory of 568	1280	Halkbank_Ekstre_20230129_075423_612150o.pdf..exe	icsys.icn.exe
PID 1280 wrote to memory of 568	1280	Halkbank_Ekstre_20230129_075423_612150o.pdf..exe	icsys.icn.exe
PID 568 wrote to memory of 1764	568	icsys.icn.exe	explorer.exe
PID 568 wrote to memory of 1764	568	icsys.icn.exe	explorer.exe
PID 568 wrote to memory of 1764	568	icsys.icn.exe	explorer.exe
PID 568 wrote to memory of 1764	568	icsys.icn.exe	explorer.exe
PID 1764 wrote to memory of 1568	1764	explorer.exe	spoolsv.exe
PID 1764 wrote to memory of 1568	1764	explorer.exe	spoolsv.exe
PID 1764 wrote to memory of 1568	1764	explorer.exe	spoolsv.exe
PID 1764 wrote to memory of 1568	1764	explorer.exe	spoolsv.exe
PID 520 wrote to memory of 1508	520	iauwp.exe	iauwp.exe
PID 520 wrote to memory of 1508	520	iauwp.exe	iauwp.exe
PID 520 wrote to memory of 1508	520	iauwp.exe	iauwp.exe
PID 520 wrote to memory of 1508	520	iauwp.exe	iauwp.exe
PID 520 wrote to memory of 1508	520	iauwp.exe	iauwp.exe
PID 1568 wrote to memory of 1652	1568	spoolsv.exe	svchost.exe
PID 1568 wrote to memory of 1652	1568	spoolsv.exe	svchost.exe
PID 1568 wrote to memory of 1652	1568	spoolsv.exe	svchost.exe
PID 1568 wrote to memory of 1652	1568	spoolsv.exe	svchost.exe
PID 1652 wrote to memory of 796	1652	svchost.exe	spoolsv.exe
PID 1652 wrote to memory of 796	1652	svchost.exe	spoolsv.exe
PID 1652 wrote to memory of 796	1652	svchost.exe	spoolsv.exe
PID 1652 wrote to memory of 796	1652	svchost.exe	spoolsv.exe
PID 1652 wrote to memory of 1276	1652	svchost.exe	at.exe
PID 1652 wrote to memory of 1276	1652	svchost.exe	at.exe
PID 1652 wrote to memory of 1276	1652	svchost.exe	at.exe
PID 1652 wrote to memory of 1276	1652	svchost.exe	at.exe
PID 1652 wrote to memory of 1544	1652	svchost.exe	at.exe
PID 1652 wrote to memory of 1544	1652	svchost.exe	at.exe
PID 1652 wrote to memory of 1544	1652	svchost.exe	at.exe
PID 1652 wrote to memory of 1544	1652	svchost.exe	at.exe
PID 1652 wrote to memory of 1972	1652	svchost.exe	at.exe
PID 1652 wrote to memory of 1972	1652	svchost.exe	at.exe
PID 1652 wrote to memory of 1972	1652	svchost.exe	at.exe
PID 1652 wrote to memory of 1972	1652	svchost.exe	at.exe

outlook_office_path 1 IoCs

Processes:

iauwp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	iauwp.exe

outlook_win_path 1 IoCs

Processes:

iauwp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	iauwp.exe

C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20230129_075423_612150o.pdf..exe
"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20230129_075423_612150o.pdf..exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280

\??\c:\users\admin\appdata\local\temp\halkbank_ekstre_20230129_075423_612150o.pdf..exe
c:\users\admin\appdata\local\temp\halkbank_ekstre_20230129_075423_612150o.pdf..exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108

C:\Users\Admin\AppData\Local\Temp\iauwp.exe
"C:\Users\Admin\AppData\Local\Temp\iauwp.exe" C:\Users\Admin\AppData\Local\Temp\iqvpwdmb.c
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:520

C:\Users\Admin\AppData\Local\Temp\iauwp.exe
"C:\Users\Admin\AppData\Local\Temp\iauwp.exe"
4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1508

C:\Users\Admin\AppData\Local\icsys.icn.exe
C:\Users\Admin\AppData\Local\icsys.icn.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:568

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1568

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:796

C:\Windows\SysWOW64\at.exe
at 18:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:1276

C:\Windows\SysWOW64\at.exe
at 18:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:1544

C:\Windows\SysWOW64\at.exe
at 18:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:1972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\halkbank_ekstre_20230129_075423_612150o.pdf..exe
Filesize
187KB

MD5
c742b622a88a10779fe1673d751dc622

SHA1
2e1de5d8dbe6ade1af87ce06c31172d8c0a9baa8

SHA256
480fb8507176e7ab166f14cdc41e7d2d887555a8327800e989a5b07ec4ac7a2b

SHA512
c639ad738805b21617169a34da91fbba7a2b3a296e87cde799c2bda0f169742e8842160dd2bb89da37cdecdd2b17713165e33383e9f92179f5df2624c9bb4e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\iauwp.exe
Filesize
80KB

MD5
82d9274bf661ed3fdb3d7e7d66efb9ba

SHA1
5f98a0699b92d2db63e4baa3c71920561bc49838

SHA256
306c0a2b8efa7c76f69246bed00e98b1d8c012446abdf48f650d9d7343562c34

SHA512
caf704dc43e4976a15a0bccb3ac6a7501d07c6d3855b6b3a1c9a69e1a6e3402548d61119229cdb34526a574cb44b988ac409155e1e308cf87112590aa10228f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\iauwp.exe
Filesize
80KB

MD5
82d9274bf661ed3fdb3d7e7d66efb9ba

SHA1
5f98a0699b92d2db63e4baa3c71920561bc49838

SHA256
306c0a2b8efa7c76f69246bed00e98b1d8c012446abdf48f650d9d7343562c34

SHA512
caf704dc43e4976a15a0bccb3ac6a7501d07c6d3855b6b3a1c9a69e1a6e3402548d61119229cdb34526a574cb44b988ac409155e1e308cf87112590aa10228f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\iauwp.exe
Filesize
80KB

MD5
82d9274bf661ed3fdb3d7e7d66efb9ba

SHA1
5f98a0699b92d2db63e4baa3c71920561bc49838

SHA256
306c0a2b8efa7c76f69246bed00e98b1d8c012446abdf48f650d9d7343562c34

SHA512
caf704dc43e4976a15a0bccb3ac6a7501d07c6d3855b6b3a1c9a69e1a6e3402548d61119229cdb34526a574cb44b988ac409155e1e308cf87112590aa10228f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqvpwdmb.c
Filesize
6KB

MD5
2dc8af96232838d201200a49b0efa632

SHA1
50bc216ff603fdfefbf0ab04ff7ffea362278eb7

SHA256
493f4e6b0acc7d4fe146d28857a37873ddaff27dba8b2491b4352db9a0eb9043

SHA512
972be1e52ce1f83f414cf3eee27887eb8ccc294f08ca628300236c0147735bdec3e75ed50c313eba20536e51e3485d303a0495ee8caae8dc548ecbc438ff818c

Download Submit
C:\Users\Admin\AppData\Local\Temp\robdkcso.dju
Filesize
104KB

MD5
c4a8e79b487d9f5076ba9235f17e7547

SHA1
1bf348776f2b90901abfaa9175a6effb4cd5954c

SHA256
b0fa484010127572ef9d688662423a027031012298d8da401597243fdcf54bd9

SHA512
d6543cae79e376e690225b3f0b1d3549c84d6c3eec2a8110186cc1e475640b0dd10b87421f8f40680f88210b4dd3d30a6b12c3398946c9245ab83e0848212d78

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe
Filesize
274KB

MD5
7bca1694aa035681f0ebd2b4f1ff1835

SHA1
c88a597f9beb5ce96708fa79ff1fd7d4a73b1582

SHA256
ee6f10c71ff99a3d2fea29a9992a8e30b8dd05acf7923d5072ecff6cad23d225

SHA512
aa934486b3b68041ffc09f87b65c548bda122966b58ae0f9d68bbbdbbb2d17c543e51a9545ad09eff30b65459e99446bb066d2ea556de27cc25206ea1b07d185

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe
Filesize
274KB

MD5
ded5e73780b89b7c4a420ce9b23a0ad5

SHA1
0140ae0390bbb0f267f8241835e731de689563c7

SHA256
003c9ed3b06babfac00e83e2cd75cb601884cc7b83f1663d52027af0c8e660b8

SHA512
0e63dc87e9bd0d3f61812cd0d9de4ae68bce9e6c0b501a231a0a3f872fa4fa81ee6a34661f967cb964327d45d3553924180dd96e7e2f1b235710dde901b90543

Download Submit
C:\Windows\system\explorer.exe
Filesize
274KB

MD5
e34f4a820a65916a22995b00aaadd861

SHA1
d9c228024982deea9820ebc3f84a1bfd83c384d5

SHA256
97836d9bdb20d85e9a6bdebf71dca846aa9ad9fd6927508b7922d0549c362d26

SHA512
a23a6b423fdeaa6ed6819f2e7cab242143f4af26372a867b8cdcb4ce48b0eaddec79fb0fa42e00a2946dc690582ce88e7d77d9bda33ab879389e71fc24d85cee

Download Submit
C:\Windows\system\spoolsv.exe
Filesize
274KB

MD5
9da1dd9c1e65cdbad9b80933c7ee4b0c

SHA1
84197207d1c11ae36576b149193da091b5d1630a

SHA256
d8c380a7ace3e54e81a9ace6fae1db6f20f8f54b86794956046f5b6e28320698

SHA512
0b2feb45f73f48946882d259f3e499a7988c8f5a3b19677803754376b1f48624fc705cad4a0a7ff1275d3f8ae7079400d03b5524fe75d4a84334ada86a891e1a

Download Submit
C:\Windows\system\spoolsv.exe
Filesize
274KB

MD5
9da1dd9c1e65cdbad9b80933c7ee4b0c

SHA1
84197207d1c11ae36576b149193da091b5d1630a

SHA256
d8c380a7ace3e54e81a9ace6fae1db6f20f8f54b86794956046f5b6e28320698

SHA512
0b2feb45f73f48946882d259f3e499a7988c8f5a3b19677803754376b1f48624fc705cad4a0a7ff1275d3f8ae7079400d03b5524fe75d4a84334ada86a891e1a

Download Submit
C:\Windows\system\svchost.exe
Filesize
274KB

MD5
a7f55a21c0c6a82fe67abf22a0e2e620

SHA1
3574286d5eef56265dcdb78bd6e49319d5801546

SHA256
46ce180f7ff11662e79b80fca00f1db241324b30acb58f5d4f1117749a48dcd8

SHA512
fd82cdbd7c13306a1de6ca5aceaccf4e5bb277b00893a74b48e8842ccaf5ef47e7d95b8430308860f322f90f4d0edcf9d075e401c5b910267cfad2f61a8ef3cc

Download Submit
\??\c:\users\admin\appdata\local\icsys.icn.exe
Filesize
274KB

MD5
7bca1694aa035681f0ebd2b4f1ff1835

SHA1
c88a597f9beb5ce96708fa79ff1fd7d4a73b1582

SHA256
ee6f10c71ff99a3d2fea29a9992a8e30b8dd05acf7923d5072ecff6cad23d225

SHA512
aa934486b3b68041ffc09f87b65c548bda122966b58ae0f9d68bbbdbbb2d17c543e51a9545ad09eff30b65459e99446bb066d2ea556de27cc25206ea1b07d185

Download Submit
\??\c:\users\admin\appdata\local\temp\halkbank_ekstre_20230129_075423_612150o.pdf..exe
Filesize
187KB

MD5
c742b622a88a10779fe1673d751dc622

SHA1
2e1de5d8dbe6ade1af87ce06c31172d8c0a9baa8

SHA256
480fb8507176e7ab166f14cdc41e7d2d887555a8327800e989a5b07ec4ac7a2b

SHA512
c639ad738805b21617169a34da91fbba7a2b3a296e87cde799c2bda0f169742e8842160dd2bb89da37cdecdd2b17713165e33383e9f92179f5df2624c9bb4e96

Download Submit
\??\c:\windows\system\explorer.exe
Filesize
274KB

MD5
e34f4a820a65916a22995b00aaadd861

SHA1
d9c228024982deea9820ebc3f84a1bfd83c384d5

SHA256
97836d9bdb20d85e9a6bdebf71dca846aa9ad9fd6927508b7922d0549c362d26

SHA512
a23a6b423fdeaa6ed6819f2e7cab242143f4af26372a867b8cdcb4ce48b0eaddec79fb0fa42e00a2946dc690582ce88e7d77d9bda33ab879389e71fc24d85cee

Download Submit
\??\c:\windows\system\spoolsv.exe
Filesize
274KB

MD5
9da1dd9c1e65cdbad9b80933c7ee4b0c

SHA1
84197207d1c11ae36576b149193da091b5d1630a

SHA256
d8c380a7ace3e54e81a9ace6fae1db6f20f8f54b86794956046f5b6e28320698

SHA512
0b2feb45f73f48946882d259f3e499a7988c8f5a3b19677803754376b1f48624fc705cad4a0a7ff1275d3f8ae7079400d03b5524fe75d4a84334ada86a891e1a

Download Submit
\??\c:\windows\system\svchost.exe
Filesize
274KB

MD5
a7f55a21c0c6a82fe67abf22a0e2e620

SHA1
3574286d5eef56265dcdb78bd6e49319d5801546

SHA256
46ce180f7ff11662e79b80fca00f1db241324b30acb58f5d4f1117749a48dcd8

SHA512
fd82cdbd7c13306a1de6ca5aceaccf4e5bb277b00893a74b48e8842ccaf5ef47e7d95b8430308860f322f90f4d0edcf9d075e401c5b910267cfad2f61a8ef3cc

Download Submit
\Users\Admin\AppData\Local\Temp\halkbank_ekstre_20230129_075423_612150o.pdf..exe
Filesize
187KB

MD5
c742b622a88a10779fe1673d751dc622

SHA1
2e1de5d8dbe6ade1af87ce06c31172d8c0a9baa8

SHA256
480fb8507176e7ab166f14cdc41e7d2d887555a8327800e989a5b07ec4ac7a2b

SHA512
c639ad738805b21617169a34da91fbba7a2b3a296e87cde799c2bda0f169742e8842160dd2bb89da37cdecdd2b17713165e33383e9f92179f5df2624c9bb4e96

Download Submit
\Users\Admin\AppData\Local\Temp\iauwp.exe
Filesize
80KB

MD5
82d9274bf661ed3fdb3d7e7d66efb9ba

SHA1
5f98a0699b92d2db63e4baa3c71920561bc49838

SHA256
306c0a2b8efa7c76f69246bed00e98b1d8c012446abdf48f650d9d7343562c34

SHA512
caf704dc43e4976a15a0bccb3ac6a7501d07c6d3855b6b3a1c9a69e1a6e3402548d61119229cdb34526a574cb44b988ac409155e1e308cf87112590aa10228f3

Download Submit
\Users\Admin\AppData\Local\Temp\iauwp.exe
Filesize
80KB

MD5
82d9274bf661ed3fdb3d7e7d66efb9ba

SHA1
5f98a0699b92d2db63e4baa3c71920561bc49838

SHA256
306c0a2b8efa7c76f69246bed00e98b1d8c012446abdf48f650d9d7343562c34

SHA512
caf704dc43e4976a15a0bccb3ac6a7501d07c6d3855b6b3a1c9a69e1a6e3402548d61119229cdb34526a574cb44b988ac409155e1e308cf87112590aa10228f3

Download Submit
\Users\Admin\AppData\Local\Temp\iauwp.exe
Filesize
80KB

MD5
82d9274bf661ed3fdb3d7e7d66efb9ba

SHA1
5f98a0699b92d2db63e4baa3c71920561bc49838

SHA256
306c0a2b8efa7c76f69246bed00e98b1d8c012446abdf48f650d9d7343562c34

SHA512
caf704dc43e4976a15a0bccb3ac6a7501d07c6d3855b6b3a1c9a69e1a6e3402548d61119229cdb34526a574cb44b988ac409155e1e308cf87112590aa10228f3

Download Submit
\Users\Admin\AppData\Local\icsys.icn.exe
Filesize
274KB

MD5
7bca1694aa035681f0ebd2b4f1ff1835

SHA1
c88a597f9beb5ce96708fa79ff1fd7d4a73b1582

SHA256
ee6f10c71ff99a3d2fea29a9992a8e30b8dd05acf7923d5072ecff6cad23d225

SHA512
aa934486b3b68041ffc09f87b65c548bda122966b58ae0f9d68bbbdbbb2d17c543e51a9545ad09eff30b65459e99446bb066d2ea556de27cc25206ea1b07d185

Download Submit
\Users\Admin\AppData\Local\icsys.icn.exe
Filesize
274KB

MD5
7bca1694aa035681f0ebd2b4f1ff1835

SHA1
c88a597f9beb5ce96708fa79ff1fd7d4a73b1582

SHA256
ee6f10c71ff99a3d2fea29a9992a8e30b8dd05acf7923d5072ecff6cad23d225

SHA512
aa934486b3b68041ffc09f87b65c548bda122966b58ae0f9d68bbbdbbb2d17c543e51a9545ad09eff30b65459e99446bb066d2ea556de27cc25206ea1b07d185

Download Submit
\Windows\system\explorer.exe
Filesize
274KB

MD5
e34f4a820a65916a22995b00aaadd861

SHA1
d9c228024982deea9820ebc3f84a1bfd83c384d5

SHA256
97836d9bdb20d85e9a6bdebf71dca846aa9ad9fd6927508b7922d0549c362d26

SHA512
a23a6b423fdeaa6ed6819f2e7cab242143f4af26372a867b8cdcb4ce48b0eaddec79fb0fa42e00a2946dc690582ce88e7d77d9bda33ab879389e71fc24d85cee

Download Submit
\Windows\system\explorer.exe
Filesize
274KB

MD5
e34f4a820a65916a22995b00aaadd861

SHA1
d9c228024982deea9820ebc3f84a1bfd83c384d5

SHA256
97836d9bdb20d85e9a6bdebf71dca846aa9ad9fd6927508b7922d0549c362d26

SHA512
a23a6b423fdeaa6ed6819f2e7cab242143f4af26372a867b8cdcb4ce48b0eaddec79fb0fa42e00a2946dc690582ce88e7d77d9bda33ab879389e71fc24d85cee

Download Submit
\Windows\system\spoolsv.exe
Filesize
274KB

MD5
9da1dd9c1e65cdbad9b80933c7ee4b0c

SHA1
84197207d1c11ae36576b149193da091b5d1630a

SHA256
d8c380a7ace3e54e81a9ace6fae1db6f20f8f54b86794956046f5b6e28320698

SHA512
0b2feb45f73f48946882d259f3e499a7988c8f5a3b19677803754376b1f48624fc705cad4a0a7ff1275d3f8ae7079400d03b5524fe75d4a84334ada86a891e1a

Download Submit
\Windows\system\spoolsv.exe
Filesize
274KB

MD5
9da1dd9c1e65cdbad9b80933c7ee4b0c

SHA1
84197207d1c11ae36576b149193da091b5d1630a

SHA256
d8c380a7ace3e54e81a9ace6fae1db6f20f8f54b86794956046f5b6e28320698

SHA512
0b2feb45f73f48946882d259f3e499a7988c8f5a3b19677803754376b1f48624fc705cad4a0a7ff1275d3f8ae7079400d03b5524fe75d4a84334ada86a891e1a

Download Submit
\Windows\system\spoolsv.exe
Filesize
274KB

MD5
9da1dd9c1e65cdbad9b80933c7ee4b0c

SHA1
84197207d1c11ae36576b149193da091b5d1630a

SHA256
d8c380a7ace3e54e81a9ace6fae1db6f20f8f54b86794956046f5b6e28320698

SHA512
0b2feb45f73f48946882d259f3e499a7988c8f5a3b19677803754376b1f48624fc705cad4a0a7ff1275d3f8ae7079400d03b5524fe75d4a84334ada86a891e1a

Download Submit
\Windows\system\spoolsv.exe
Filesize
274KB

MD5
9da1dd9c1e65cdbad9b80933c7ee4b0c

SHA1
84197207d1c11ae36576b149193da091b5d1630a

SHA256
d8c380a7ace3e54e81a9ace6fae1db6f20f8f54b86794956046f5b6e28320698

SHA512
0b2feb45f73f48946882d259f3e499a7988c8f5a3b19677803754376b1f48624fc705cad4a0a7ff1275d3f8ae7079400d03b5524fe75d4a84334ada86a891e1a

Download Submit
\Windows\system\svchost.exe
Filesize
274KB

MD5
a7f55a21c0c6a82fe67abf22a0e2e620

SHA1
3574286d5eef56265dcdb78bd6e49319d5801546

SHA256
46ce180f7ff11662e79b80fca00f1db241324b30acb58f5d4f1117749a48dcd8

SHA512
fd82cdbd7c13306a1de6ca5aceaccf4e5bb277b00893a74b48e8842ccaf5ef47e7d95b8430308860f322f90f4d0edcf9d075e401c5b910267cfad2f61a8ef3cc

Download Submit
\Windows\system\svchost.exe
Filesize
274KB

MD5
a7f55a21c0c6a82fe67abf22a0e2e620

SHA1
3574286d5eef56265dcdb78bd6e49319d5801546

SHA256
46ce180f7ff11662e79b80fca00f1db241324b30acb58f5d4f1117749a48dcd8

SHA512
fd82cdbd7c13306a1de6ca5aceaccf4e5bb277b00893a74b48e8842ccaf5ef47e7d95b8430308860f322f90f4d0edcf9d075e401c5b910267cfad2f61a8ef3cc

Download Submit
memory/520-66-0x0000000000000000-mapping.dmp

Download
memory/568-126-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/568-71-0x0000000000000000-mapping.dmp

Download
memory/568-92-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/796-124-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/796-118-0x0000000000000000-mapping.dmp

Download
memory/1108-60-0x0000000000000000-mapping.dmp

Download
memory/1276-127-0x0000000000000000-mapping.dmp

Download
memory/1280-57-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download
memory/1280-59-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1280-87-0x00000000007B0000-0x00000000007EE000-memory.dmp

Filesize
248KB

Download
memory/1280-125-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1280-89-0x00000000007B0000-0x00000000007EE000-memory.dmp

Filesize
248KB

Download
memory/1508-131-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1508-123-0x0000000000440000-0x0000000000466000-memory.dmp

Filesize
152KB

Download
memory/1508-102-0x0000000000438680-mapping.dmp

Download
memory/1544-133-0x0000000000000000-mapping.dmp

Download
memory/1568-91-0x0000000000000000-mapping.dmp

Download
memory/1652-109-0x0000000000000000-mapping.dmp

Download
memory/1652-132-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1764-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1764-80-0x0000000000000000-mapping.dmp

Download
memory/1764-130-0x00000000026E0000-0x000000000271E000-memory.dmp

Filesize
248KB

Download
memory/1764-137-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1764-138-0x00000000026E0000-0x000000000271E000-memory.dmp

Filesize
248KB

Download
memory/1972-135-0x0000000000000000-mapping.dmp

Download